> On July 1, 2020, 1:27 p.m., Pradeep Agrawal wrote: > > security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java > > Lines 1537 (patched) > > <https://reviews.apache.org/r/72626/diff/1/?file=2235136#file2235136line1537> > > > > There are already several methods to check admin access in this class, > > not sure its good idea to have one more like this. > > > > If you are going to keep this method then please review existing call > > to other check admin methods and see if any of them can be replaced with > > this.
This method is for scenario where user is Delegate Admin having role as “user” trying create Policy with existing user/group/role. In case if specified policy has non-existing user/group/role. It will give specific response as existing response is common. - Dineshkumar ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72626/#review221113 ----------------------------------------------------------- On July 1, 2020, 7:05 a.m., Dineshkumar Yadav wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72626/ > ----------------------------------------------------------- > > (Updated July 1, 2020, 7:05 a.m.) > > > Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, > Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy. > > > Repository: ranger > > > Description > ------- > > Ranger user having role as "user" with delegate admin permission able to > create policy which has non-existing users/groups/roles in the specified > policy. > only admin users should be able to create policy with new users/groups/roles > on the fly creation of users/groups/roles. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java > 9ce481c63 > security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java > 4fb21a094 > security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java > ff8e2ba43 > > > Diff: https://reviews.apache.org/r/72626/diff/1/ > > > Testing > ------- > > Without patch steps > 1. Create user with role “user” > 2. Give him delegate admin role. > 3. Create policy using curl request where specified policy should > include non existing user/group. > 4. It will be able to create the policy. > > With patch same steps will give error “operation denied user/group specified > in policy does not exist in ranger admin.” > > > Thanks, > > Dineshkumar Yadav > >
