> On Nov. 2, 2021, 2:33 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java > > Lines 290 (patched) > > <https://reviews.apache.org/r/73673/diff/2/?file=2255079#file2255079line291> > > > > Ranger admin UI for policies shows list of security zones in a dropdown > > list. Does the UI use this (getAllZones()) API to retrieve list of security > > zones? If yes, users not having MODULE_SECURITY_ZONE permission will not be > > able to get this list populated, and they will not be able to manage > > policies in security zone. Please review this usecase.
The API (getAllZones()) is used on Dashboard, Reports & Access Audits pages. It seems implementation of these pages/ functionalities is based on assumption, zones & related info will be available/ visible to all regardless if they are authorized or not. This patch will break these functionalities. Please suggest if currennt implementation of these pages/ functionalities (Dashboard, Reports & Access Audits pages) is correct. - Kishor ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73673/#review223705 ----------------------------------------------------------- On Nov. 2, 2021, 2:09 p.m., Kishor Gollapalliwar wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73673/ > ----------------------------------------------------------- > > (Updated Nov. 2, 2021, 2:09 p.m.) > > > Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mahesh Bandal, > Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and > Velmurugan Periasamy. > > > Bugs: RANGER-3502 > https://issues.apache.org/jira/browse/RANGER-3502 > > > Repository: ranger > > > Description > ------- > > Currently get zones API returns all zones even for users who are not > authorized to zone modules. Restrict this API to only users who are > authorized to zone module. > > Steps to reproduce: > > Create a internal user name, test_user1 > Remove the permission on Security Zone module for a user > Login as test_user1 user to Ranger Admin, user should not be able to see > Security Zone tab > Access the API using following curls > 1. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H > "Content-Type:application/json" > "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones" > 2. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H > "Content-Type:application/json" > "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}" > 3. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H > "Content-Type:application/json" > "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}" > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java > fcf843370 > > security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java > d6384a694 > > > Diff: https://reviews.apache.org/r/73673/diff/2/ > > > Testing > ------- > > 1. mvn clean compile package install verify > 2. Verified UI login with admin user > 3. Verified curl (GET zones API) with admin user > 4. Verified UI login with non-admin user having access to zone module > 5. Verified curl (GET zones API) with non-admin user having access to zone > module > 6. Verified UI login with non-admin user having NO access to zone module > 7. Verified curl (GET zones API) with non-admin user having NO access to zone > module > 8. Created /Updated deleted services > 9. Created /Updated deleted policies > 10. Created /Updated deleted zones & associated attached them to services > > > Thanks, > > Kishor Gollapalliwar > >
