----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71724/#review218651 -----------------------------------------------------------
Ship it! Ship It! - Madhan Neethiraj On Nov. 15, 2019, 5:50 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71724/ > ----------------------------------------------------------- > > (Updated Nov. 15, 2019, 5:50 p.m.) > > > Review request for ranger, Madhan Neethiraj, Ramesh Mani, and Sailaja > Polavarapu. > > > Bugs: RANGER-2642 > https://issues.apache.org/jira/browse/RANGER-2642 > > > Repository: ranger > > > Description > ------- > > If Grant/Revoke REST API is invoked by a user which is not a admin or not > listed in policy.grantrevoke.auth.users config parameter value, then resource > being granted permission to should not specify ownership information. > Otherwise, such user may be able to modify a resource for which it does not > have delegated-admin privilege. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java > 6cd8634a5 > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 333672dbc > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 20849f650 > > > Diff: https://reviews.apache.org/r/71724/diff/8/ > > > Testing > ------- > > Passed all unit tests > > > Thanks, > > Abhay Kulkarni > >
