Re: Review Request 73627: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource

Mon, 04 Oct 2021 18:23:36 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223565
-----------------------------------------------------------



Abhay - updates look good. Please review following methods as well: 
grantAccess(), revokeAccess().

- Madhan Neethiraj


On Oct. 5, 2021, 12:27 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
> 
> (Updated Oct. 5, 2021, 12:27 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, 
> Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3462
>     https://issues.apache.org/jira/browse/RANGER-3462
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Steps to reproduce the issue:
> 
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and 
> charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that 
> policy there 2 policy items; one for bob, and the other for alice with RWX 
> permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only 
> becomes visible after the Write permission is restored.
> 
> 
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users 
> specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is 
> checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other 
> delegated-admin policies.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java 
> e2a0884a6 
>   
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
>  a6f0a1a2a 
>   
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
> 090384b7b 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
> f1123d19c 
> 
> 
> Diff: https://reviews.apache.org/r/73627/diff/2/
> 
> 
> Testing
> -------
> 
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Reply via email to