Re: Review Request 72626: RANGER-2881 : Delegate Admin user having role "user" able to create policy which has non-existing users/groups

Dineshkumar Yadav Fri, 10 Jul 2020 04:31:46 -0700


> On July 3, 2020, 5:32 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
> > Lines 1537 (patched)
> > <https://reviews.apache.org/r/72626/diff/1/?file=2235136#file2235136line1537>
> >
> >     1. consider renaming checkAdminAccess() => ensureAdminAccess(String 
> > operation)
> >     2. update calls to this method with following parameter:
> >         #286: ensureAdminAccess("create user " + user);
> >         #306: ensureAdminAccess("create group " + group);
> >         #334: ensureAdminAccess("create role " + role);


added separate message for each individual scenario.


> On July 3, 2020, 5:32 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
> > Lines 1543 (patched)
> > <https://reviews.apache.org/r/72626/diff/1/?file=2235136#file2235136line1543>
> >
> >     - session will not be null in #1543 - see above #1539
> >     - consider the following message:
> >       "user " + session.getLoginId() + " does not have permission to 
> > perform '" + operation + "'"

changed the message.


- Dineshkumar


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72626/#review221121
-----------------------------------------------------------


On July 10, 2020, 11:22 a.m., Dineshkumar Yadav wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72626/
> -----------------------------------------------------------
> 
> (Updated July 10, 2020, 11:22 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, 
> Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Ranger user having role as "user" with delegate admin permission able to 
> create policy which has non-existing users/groups/roles in the specified 
> policy. 
> only admin users should be able to create policy with new users/groups/roles 
> on the fly creation of users/groups/roles.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 
> 6bd06f484 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 
> 4fb21a094 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java 
> ff8e2ba43 
> 
> 
> Diff: https://reviews.apache.org/r/72626/diff/2/
> 
> 
> Testing
> -------
> 
> Without patch  steps
>       1. Create user with role “user”
>       2. Give him delegate admin role.
>       3. Create policy using curl request where specified policy should 
> include non existing user/group.
>       4. It will be able to create the policy.
> 
> With patch same steps will give error “operation denied user/group specified 
> in policy does not exist in ranger admin.”
> 
> 
> Thanks,
> 
> Dineshkumar Yadav
> 
>

Re: Review Request 72626: RANGER-2881 : Delegate Admin user having role "user" able to create policy which has non-existing users/groups

Reply via email to