Re: Review Request 73673: RANGER-3502: Make GET zone APIs accessible to authorized users only

Tue, 02 Nov 2021 07:10:08 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73673/
-----------------------------------------------------------

(Updated Nov. 2, 2021, 2:09 p.m.)


Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mahesh Bandal, 
Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and 
Velmurugan Periasamy.


Summary (updated)
-----------------

RANGER-3502: Make GET zone APIs accessible to authorized users only


Bugs: RANGER-3502
    https://issues.apache.org/jira/browse/RANGER-3502


Repository: ranger


Description (updated)
-------

Currently get zones API returns all zones even for users who are not authorized 
to zone modules. Restrict this API to only users who are authorized to zone 
module.

Steps to reproduce:

Create a internal user name, test_user1
Remove the permission on Security Zone module for a user
Login as test_user1 user to Ranger Admin, user should not be able to see 
Security Zone tab
Access the API using following curls
1. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H 
"Content-Type:application/json" 
"https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
2. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H 
"Content-Type:application/json" 
"https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}"
3. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H 
"Content-Type:application/json" 
"https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}"


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java 
fcf843370 
  security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java 
d6384a694 


Diff: https://reviews.apache.org/r/73673/diff/2/


Testing
-------

1. mvn clean compile package install verify
2. Verified UI login with admin user
3. Verified curl (GET zones API) with admin user
4. Verified UI login with non-admin user having access to zone module 
5. Verified curl (GET zones API) with non-admin user having access to zone 
module
6. Verified UI login with non-admin user having NO access to zone module 
7. Verified curl (GET zones API) with non-admin user having NO access to zone 
module
8. Created /Updated deleted services
9. Created /Updated deleted policies
10. Created /Updated deleted zones & associated attached them to services


Thanks,

Kishor Gollapalliwar

Reply via email to