Re: Review Request 73736: A delegate admin user should be able to add another user with all or subset of permissions they haveA delegate admin user should be able to add another user with all or subset of permissions they have

Fri, 03 Dec 2021 10:06:28 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73736/
-----------------------------------------------------------

(Updated Dec. 3, 2021, 6:06 p.m.)


Review request for ranger, Kishor Gollapalliwar, Madhan Neethiraj, Ramesh Mani, 
Sailaja Polavarapu, and Velmurugan Periasamy.


Changes
-------

Updated with the details of the JIRA.


Summary (updated)
-----------------

A delegate admin user should be able to add another user with all or subset of 
permissions they haveA delegate admin user should be able to add another user 
with all or subset of permissions they have


Bugs: RANGER-3535
    https://issues.apache.org/jira/browse/RANGER-3535


Repository: ranger


Description (updated)
-------

Steps to reproduce:

Login to Ranger Admin as admin user
Create normal users (steve, peter, erwin, bob) in Ranger Admin
Create new policy p1 with resource /p1 & allowed users steve (read, 
delegate-admin) & peter (read, delegate-admin)
Create new policy p2 with resource /p2 & allowed users steve (read, write, 
delegate-admin) & peter (read, delegate-admin)
Create new policy p3 with resource /p3 & allowed users steve (write, 
delegate-admin) & peter (read, delegate-admin)
Create new policy p4 with resource /p4 & allowed users bob (read, write) & 
peter (read, delegate-admin)
Log out as admin user, and login again as peter
Try to add user erwin (read) in p1, p2, p3 & p4
delegate admin user peter should be able to add user erwin in all policies, but 
other than p1 rest all fails.
Requirement:

Delegate admin user should be able to add other users with permissions less or 
equal to his/ her.
Delegate admin user should not be able to add other users with permission more 
than what he/ she possesses. Basically he/ she can give permissions, all or 
sub-set of permissions he/ she possesses.
Delegate admin user should not be able to add more permissions to his own.


Diffs (updated)
-----

  
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java
 c84d0bc9f 
  security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 
5311a54a2 


Diff: https://reviews.apache.org/r/73736/diff/4/

Changes: https://reviews.apache.org/r/73736/diff/3-4/


Testing
-------


Thanks,

Abhay Kulkarni

Reply via email to