Re: Review Request 73627: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource

Mon, 04 Oct 2021 17:27:14 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/
-----------------------------------------------------------

(Updated Oct. 5, 2021, 12:27 a.m.)


Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja 
Polavarapu, and Velmurugan Periasamy.


Changes
-------

Updated based on suggested updates to the delegated-admin treatment for reading 
and writing.


Bugs: RANGER-3462
    https://issues.apache.org/jira/browse/RANGER-3462


Repository: ranger


Description
-------

Steps to reproduce the issue:

Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and 
charlie has user role.
Create an HDFS policy with name "test-delegate-admin" as alice. In that policy 
there 2 policy items; one for bob, and the other for alice with RWX permissions 
with "Delegate Admin".
Log in as bob, and edited the policy item for bob: removed Write permission.
After saving the policy bob is not able to see to policy anymore. It only 
becomes visible after the Write permission is restored.


Fix involves:
1. When a policy is updated, the policy-items are segregated based on users 
specified in the policy-item.
2. For admin users, updates to permissions are not checked.
3. For the user/group/role updating the policy, only admin permission is 
checked in all delegated-admin policies.
4. For other users all requested permissions are checked against other 
delegated-admin policies.


Diffs (updated)
-----

  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
e2a0884a6 
  
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java 
a6f0a1a2a 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
090384b7b 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
f1123d19c 


Diff: https://reviews.apache.org/r/73627/diff/2/

Changes: https://reviews.apache.org/r/73627/diff/1-2/


Testing
-------

Verified the fix by testing the repro scenario outlined above.
Passed all unit tests.


Thanks,

Abhay Kulkarni

Reply via email to