-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73673/
-----------------------------------------------------------
Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mahesh Bandal,
Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and
Velmurugan Periasamy.
Bugs: RANGER-3502
https://issues.apache.org/jira/browse/RANGER-3502
Repository: ranger
Description
-------
Currently get zones API returns all zones even for users who are not authorized
to zone modules. Restrict this API to only users who are authorized to zone
module.
Steps to reproduce:
Create a internal user name, test_user1
Remove the permission on Security Zone module for a user
Login as test_user1 user to Ranger Admin, user should not be able to see
Security Zone tab
Access the API using curl
curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H
"Content-Type:application/json"
"https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
Diffs
-----
security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
fcf843370
security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java
d6384a694
Diff: https://reviews.apache.org/r/73673/diff/1/
Testing
-------
1. mvn clean compile package install verify
2. Verified UI login with admin user
3. Verified curl (GET zones API) with admin user
4. Verified UI login with non-admin user having access to zone module
5. Verified curl (GET zones API) with non-admin user having access to zone
module
6. Verified UI login with non-admin user having NO access to zone module
7. Verified curl (GET zones API) with non-admin user having NO access to zone
module
8. Created /Updated deleted services
9. Created /Updated deleted policies
10. Created /Updated deleted zones & associated attached them to services
Thanks,
Kishor Gollapalliwar
