----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73627/#review223561 -----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java Line 196 (original), 212 (patched) <https://reviews.apache.org/r/73627/#comment312643> If the requirement is to return true when current user has 'delegate-admin' for at least one permission listed in the policy, the only change needed will be to add following after #226: if (accessTypes.removeAll(allowedAccesses)) { ret = true; break; } No change should be needed in getAllAccessTypes() method - #199 above. security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java Lines 268 (patched) <https://reviews.apache.org/r/73627/#comment312642> isZoneAdmin() => isZoneAuditor() - Madhan Neethiraj On Oct. 4, 2021, 3:05 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73627/ > ----------------------------------------------------------- > > (Updated Oct. 4, 2021, 3:05 p.m.) > > > Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, > Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-3462 > https://issues.apache.org/jira/browse/RANGER-3462 > > > Repository: ranger > > > Description > ------- > > Steps to reproduce the issue: > > Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and > charlie has user role. > Create an HDFS policy with name "test-delegate-admin" as alice. In that > policy there 2 policy items; one for bob, and the other for alice with RWX > permissions with "Delegate Admin". > Log in as bob, and edited the policy item for bob: removed Write permission. > After saving the policy bob is not able to see to policy anymore. It only > becomes visible after the Write permission is restored. > > > Fix involves: > 1. When a policy is updated, the policy-items are segregated based on users > specified in the policy-item. > 2. For admin users, updates to permissions are not checked. > 3. For the user/group/role updating the policy, only admin permission is > checked in all delegated-admin policies. > 4. For other users all requested permissions are checked against other > delegated-admin policies. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java > e2a0884a6 > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java > a6f0a1a2a > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > 090384b7b > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 3cd289cc2 > security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java > 7fdda9a1e > > > Diff: https://reviews.apache.org/r/73627/diff/1/ > > > Testing > ------- > > Verified the fix by testing the repro scenario outlined above. > Passed all unit tests. > > > Thanks, > > Abhay Kulkarni > >
