----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73673/#review223755 -----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/view/RangerMinimal.java Lines 35 (patched) <https://reviews.apache.org/r/73673/#comment312844> All classes serialized/deserialized in REST APIs should be under agents-common/src/main/java/org/apache/ranger/plugin/model. Please move all relevant new classes in this patch. security-admin/src/main/java/org/apache/ranger/view/RangerSecurityZoneMinimalList.java Lines 36 (patched) <https://reviews.apache.org/r/73673/#comment312845> Consider replacing RangerSecurityZoneMinimalList with following classes: public class RangerSecurityZoneHeader extends RangerBaseModelObject implements java.io.Serializable { private String name; ... } To be consistent with other REST APIs that return list, consider returning List<RangerSecurityZoneHeader>. For example: public class PublicAPIsv2 { ... public List<RangerSecurityZone> getAllZones(..) { .. } public List<RangerService> searchServices(..) { .. } } security-admin/src/main/java/org/apache/ranger/view/RangerServiceMinimalList.java Lines 36 (patched) <https://reviews.apache.org/r/73673/#comment312846> Similar to earlier comment in RangerSecurityZoneMinimalList, consider replacing RangerServiceMinimalList class with RangerServiceHeader. security-admin/src/main/resources/META-INF/jpa_named_queries.xml Lines 1558 (patched) <https://reviews.apache.org/r/73673/#comment312847> Consider replacing "Minimals" with "HeaderInfo" - here and all other places. - Madhan Neethiraj On Nov. 18, 2021, 4:21 p.m., Kishor Gollapalliwar wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73673/ > ----------------------------------------------------------- > > (Updated Nov. 18, 2021, 4:21 p.m.) > > > Review request for ranger, Dhaval Rajpara, Abhay Kulkarni, Madhan Neethiraj, > Mahesh Bandal, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja > Polavarapu, Vishal Suvagia, and Velmurugan Periasamy. > > > Bugs: RANGER-3502 > https://issues.apache.org/jira/browse/RANGER-3502 > > > Repository: ranger > > > Description > ------- > > Currently get zones API returns all zones even for users who are not > authorized to zone modules. Restrict this API to only users who are > authorized to zone module. > > Steps to reproduce: > > Create a internal user name, test_user1 > Remove the permission on Security Zone module for a user > Login as test_user1 user to Ranger Admin, user should not be able to see > Security Zone tab > Access the API using following curls > 1. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H > "Content-Type:application/json" > "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones" > 2. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H > "Content-Type:application/json" > "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}" > 3. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H > "Content-Type:application/json" > "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}" > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java > 12ad7e676 > security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java > 46ff16f37 > > security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java > f5c1a882f > > security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java > c30dba1ce > security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java > fcf843370 > security-admin/src/main/java/org/apache/ranger/view/RangerMinimal.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/view/RangerSecurityZoneMinimalList.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/view/RangerServiceMinimalList.java > PRE-CREATION > security-admin/src/main/resources/META-INF/jpa_named_queries.xml 85cadbbd5 > security-admin/src/main/webapp/scripts/controllers/Controller.js 74f2af513 > security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js > f7d3b7316 > security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js > 11d471137 > > security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayoutSidebar.js > 67a577c20 > security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js > 2acf35f3d > security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js > e6ec81f27 > > security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java > d6384a694 > > > Diff: https://reviews.apache.org/r/73673/diff/3/ > > > Testing > ------- > > 1. mvn clean compile package install verify > 2. Verified UI login with admin user > 3. Verified curl (GET zones API) with admin user > 4. Verified UI login with non-admin user having access to zone module > 5. Verified curl (GET zones API) with non-admin user having access to zone > module > 6. Verified UI login with non-admin user having NO access to zone module > 7. Verified curl (GET zones API) with non-admin user having NO access to zone > module > 8. Created /Updated deleted services > 9. Created /Updated deleted policies > 10. Created /Updated deleted zones & associated attached them to services > 11. Verified behaviour on dashboard, report, access audit import & export > functionalities > > > Thanks, > > Kishor Gollapalliwar > >
