> On Feb. 3, 2021, 6:55 p.m., Abhay Kulkarni wrote:
> > security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
> > Line 127 (original), 127 (patched)
> > <https://reviews.apache.org/r/73165/diff/1/?file=2245876#file2245876line127>
> >
> > Is a normal user allowed to see KMS service-def? The code changes seem
> > to open up all service-definitions to all users. Please clarify.
Normal users are not allowed to see KMS service-def. As per this change,
authorization will be handled by functions of ServiceREST class. ie.
serviceREST.getServiceDef(id), serviceREST.getServiceDefByName(name),
serviceREST.getServiceDefs(request)
KeyAdmin and KMSAuditor role users can only access KMS service-def.
KeyAdmin and KMSAuditor role users can't see other service-def such as hdfs,
hive etc.
Admin, Auditor and User role users can't access KMS service-def.
Admin, Auditor and User role users can only access other service-def such as
hdfs, hive etc.
Following API's will behave exactly the same (in terms of Authorization) as
API's mentioned in ServiceREST class.
1. GET API: "/service/public/v2/api/servicedef/" <==>
"/service/plugins/definitions/"
2. GET API: "/service/public/v2/api/servicedef/{id}" <==>
"/service/plugins/definitions/{id}"
3. GET API: "/service/public/v2/api/servicedef/name/{name}" <==>
"/service/plugins/definitions/name/{name}"
Current behavior of API's mentioned in ServiceREST class is as follows :
* If Auditor or Normal user does not have permission on the "Resource Based
Policies", they can't access service-def using "/service/plugins/definitions/",
nevertheless they can get service-def by "id" and "name" through API
"/service/plugins/definitions/{id}" and
"/service/plugins/definitions/name/{name}" respectively. This behaviour is
because of current code at
https://github.com/apache/ranger/blob/5df512439c85199abacb84675b91d0b704fb61f0/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java#L531
which is not present in getServiceDefByName() and getServiceDef(long id)
functions of ServiceREST class.
* KeyAdmin, KMSAuditor role users can't see service-def which are accessible by
Admin, Auditor, User role users and vice versa.
- Mahesh
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73165/#review222550
-----------------------------------------------------------
On Jan. 29, 2021, 11:31 a.m., Mahesh Bandal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73165/
> -----------------------------------------------------------
>
> (Updated Jan. 29, 2021, 11:31 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Dhaval Shah, Gautam Borad, Kishor
> Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep
> Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3168
> https://issues.apache.org/jira/browse/RANGER-3168
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Following GET API's should be accessible for other users.
>
> GET API: /service/public/v2/api/servicedef/
> GET API: /service/public/v2/api/servicedef/{id}
> GET API: /service/public/v2/api/servicedef/name/{name}
>
> If a user has permissions on the "Resource Based Policies" module, then he is
> be able to view servicedef using Ranger-UI and therefore he should be able to
> access servicedef using GET API- /service/public/v2/api/servicedef/
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
> 19b93e67c
>
>
> Diff: https://reviews.apache.org/r/73165/diff/1/
>
>
> Testing
> -------
>
> 1. User and Auditor can acess servicedef if they have permissions on the
> "Resource Based Policies" module.
> 2. KeyAdmin and KMSAuditor users can only access KMS servicedef.
>
>
> Thanks,
>
> Mahesh Bandal
>
>
