-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74068/
-----------------------------------------------------------
(Updated Aug. 3, 2022, 7:02 p.m.)
Review request for ranger, bhavik patel, Dhaval Shah, Abhay Kulkarni, Madhan
Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Both ensureAdminAccess and getRoleIfAccessible should be changed to have
uniform behavior across all API's
Summary (updated)
-----------------
RANGER-3837 Changed ensureAdminAccess and getRoleIfAccessible so that both
admins and service admins can now get,create,edit,delete roles
Bugs: RANGER-3837
https://issues.apache.org/jira/browse/RANGER-3837
Repository: ranger
Description
-------
For Ozone S3 Multi-Tenancy assign user CLI, we would edit a Ranger role to add
a new user. During tenant creation, we create two new Ranger roles
(tenant1-AdminRole and tenant1-UserRole).
As OM prefers using om user (in ozone.keytab) to talk to Ranger, we wouldn't be
able to create/edit/delete roles with that credential. And there doesn't seem
to be a config to allow it at this point.
Changes done:: Changed ensureAdminAccess so that both admins and service admins
can now get,create,edit,delete roles
Diffs (updated)
-----
security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java 1e74a5ffd
Diff: https://reviews.apache.org/r/74068/diff/2/
Changes: https://reviews.apache.org/r/74068/diff/1-2/
Testing
-------
Here is the observed expected behavior:
When logged in user is of type ROLE_USER::
Delete is not successful even if execUser is {ROLE_USER, admin or service admin}
Adding user fails
When logged in user is service admin::
Delete succeeds when execUser is service admin
Delete succeeds when execUser is admin
Delete fails when execUser is ROLE_USER
Adding user succeeds
When logged in user is ROLE_SYS_ADMIN::
Delete succeeds even if execUser is {ROLE_USER, admin or service admin}
Adding user succeeds
Thanks,
Fateh Singh
