Dineshkumar Yadav created RANGER-3590:
-----------------------------------------
Summary: User with Auditor role in security zone can change a
policy's name and description
Key: RANGER-3590
URL: https://issues.apache.org/jira/browse/RANGER-3590
Project: Ranger
Issue Type: Bug
Components: Ranger
Reporter: Dineshkumar Yadav
Assignee: Dineshkumar Yadav
h3. Reproduction
h3. Precondition
# User hrt_2, and hrt_3 have roles User in Ranger.
# Create a security zone with name "test_security_zone" and with:
Admin users: hrt_2
Auditor Users: hrt_3
Resource Services: cm_hive, and for database test_db
# Login as hrt_2, and create a hive policy named "test_security_zone_policy"
with arbitrary content.
h4. Test steps
# Login as hrt_3 and try to create a new hive policy
"new_test_security_zone_policy" with arbitrary content.
# As hrt_3, try to change the name or description of
"test_security_zone_policy".
# As hrt_3, try to change the resource, or permissions of
"test_security_zone_policy" (e.g. add another database, or add a new user to
Allow Conditions)
h4. Expected behavior
# Creation of new policy should be denied for hrt_3.
# Update of already existing policy's name or description should be denied for
hrt_3.
# Update of resources, permissions should be denied for hrt_3.
h4. Actual behavior
# Creation of new policy is denied as expected.
# Update succeeds.
# Trying to update resources or permission results in access denied, as
expected.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
