roles in default policies

Abhay Kulkarni Fri, 19 Aug 2022 12:47:26 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74091/
-----------------------------------------------------------


Review request for ranger, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, and 
Velmurugan Periasamy.


Bugs: RANGER-3861
    https://issues.apache.org/jira/browse/RANGER-3861


Repository: ranger


Description
-------

Ranger allows non-admin users to create Ranger services. As a part of service 
creation, usually there are default policies created as well. If such policies 
contain users/groups/roles that do not yet exist in Ranger, then the the 
default policies cannot be created  - only admin users can create new 
users/groups/roles - and service creation fails. This clearly is not a desired 
behavior.

A non-admin service creator should be allowed to create service default policy 
and users/groups/roles in that policy.


The patch treats creating a default policy differently than creating a default 
policy (which is created implicitly when a Ranger service is created). In the 
latter case, the check for user having admin privileges is bypassed.


Diffs
-----

  agents-common/src/main/java/org/apache/ranger/plugin/store/ServiceStore.java 
6283e02f2 
  security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 
6c99df4e9 
  security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java 
66adac2b5 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
41fb3bb96 
  security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 9af354d09 
  
security-admin/src/main/java/org/apache/ranger/patch/PatchForKafkaServiceDefUpdate_J10025.java
 8367d3f6b 
  
security-admin/src/main/java/org/apache/ranger/patch/PatchForKafkaServiceDefUpdate_J10033.java
 9f0717a40 
  
security-admin/src/main/java/org/apache/ranger/patch/PatchForMigratingOldRegimePolicyJson_J10046.java
 c40280629 
  
security-admin/src/main/java/org/apache/ranger/patch/PatchForUpdatingPolicyJson_J10019.java
 ae6158ab0 
  security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java 
dfb5814f3 


Diff: https://reviews.apache.org/r/74091/diff/1/


Testing
-------

Ran all unit tests successfully.

Manually tested in the cluster service creation by a non-admin user with some 
of the users of default policies missing. Ensured that the necessary 
users/groups/roles are created and default policies as well as service gets 
created successfully.


Thanks,

Abhay Kulkarni

Review Request 74091: RANGER-3861: Allow service creator user to create users/groups/roles in default policies

Reply via email to