-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73673/
-----------------------------------------------------------
(Updated Dec. 6, 2021, 12:22 p.m.)
Review request for ranger, Dhaval Rajpara, Abhay Kulkarni, Madhan Neethiraj,
Mahesh Bandal, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu,
Vishal Suvagia, and Velmurugan Periasamy.
Bugs: RANGER-3502
https://issues.apache.org/jira/browse/RANGER-3502
Repository: ranger
Description
-------
Currently get zones API returns all zones even for users who are not authorized
to zone modules. Restrict this API to only users who are authorized to zone
module.
Steps to reproduce:
Create a internal user name, test_user1
Remove the permission on Security Zone module for a user
Login as test_user1 user to Ranger Admin, user should not be able to see
Security Zone tab
Access the API using following curls
1. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H
"Content-Type:application/json"
"https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
2. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H
"Content-Type:application/json"
"https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}"
3. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H
"Content-Type:application/json"
"https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}"
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java
PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java
PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java
12ad7e676
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java
46ff16f37
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java
f5c1a882f
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java
c30dba1ce
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
204cadbf0
security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
fcf843370
security-admin/src/main/resources/META-INF/jpa_named_queries.xml 539d600c8
security-admin/src/main/webapp/scripts/controllers/Controller.js 74f2af513
security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js f7d3b7316
security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js
11d471137
security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayoutSidebar.js
67a577c20
security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 2acf35f3d
security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js
e6ec81f27
security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java
f9ea26a31
security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java
d6384a694
Diff: https://reviews.apache.org/r/73673/diff/6/
Changes: https://reviews.apache.org/r/73673/diff/5-6/
Testing
-------
1. mvn clean compile package install verify
2. Verified UI login with admin user
3. Verified curl (GET zones API) with admin user
4. Verified UI login with non-admin user having access to zone module
5. Verified curl (GET zones API) with non-admin user having access to zone
module
6. Verified UI login with non-admin user having NO access to zone module
7. Verified curl (GET zones API) with non-admin user having NO access to zone
module
8. Created /Updated deleted services
9. Created /Updated deleted policies
10. Created /Updated deleted zones & associated attached them to services
11. Verified behaviour on dashboard, report, access audit import & export
functionalities
Thanks,
Kishor Gollapalliwar
