----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74598/#review225741 -----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java Lines 264 (patched) <https://reviews.apache.org/r/74598/#comment314176> when gdsPermission is null, all datasets will be returned irrespective of whether users have any permission in the dataset. This shouldn't be the case. 1. when the filter doesn't have gdsPermission specified, VIEW permission should be assumed - at #258 above. 2. consider replacing #264 - #281 with: if (!validator.hasPermission(dataset.getAcl(), gdsPermission)) { continue; } if (gdsPermission.equals(GdsPermission.LIST)) { scrubForListing(dataset); } datasets.add(dataset); 3. add following method: private void scrubForListing(RangerDataset dataset) { dataset.setAcl(null); dataset.setOptions(null); dataset.setAdditionalInfo(null); } - Madhan Neethiraj On Sept. 12, 2023, 7:03 p.m., Subhrat Chaudhary wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74598/ > ----------------------------------------------------------- > > (Updated Sept. 12, 2023, 7:03 p.m.) > > > Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, > Monika Kachhadiya, Prashant Satam, and Siddhesh Phatak. > > > Bugs: https://issues.apache.org/jira/browse/RANGER-4324 > > https://issues.apache.org/jira/browse/https://issues.apache.org/jira/browse/RANGER-4324 > > > Repository: ranger > > > Description > ------- > > First patch added in RANGER-4324, support only view permission. Adding this > patch to receive permission as query param, and return datasets based on the > ACLs for the dataset and the permission that the logged in user has. > > > Diffs > ----- > > agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java > 440bb4c24 > security-admin/src/main/java/org/apache/ranger/biz/GdsDBStore.java > d2bd0789d > security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java > 059954b46 > security-admin/src/main/java/org/apache/ranger/rest/GdsREST.java 653e397d4 > > > Diff: https://reviews.apache.org/r/74598/diff/2/ > > > Testing > ------- > > Updated API validated locally: > 1. 3 datasets created with the user mark having ADMIN, VIEW and LIST > permissions respcetively. > 2. Tested /service/gds/dataset with query param gdsPermission={permission}. > 3. For gdsPermission=LIST, all 3 datasets are returned. Following is the > details received if LIST permission is passed in query-param: > { > "isEnabled": true, > "description": "This is GDS description", > "name": "Dataset1", > "termsOfUse": "Gds Terms of Use" > } > 4. For gdsPermission=VIEW, all 2 datasets are returned, where the user mark > has ADMIN or VIEW permissions. > 5. For gdsPermission=ADMIN, only 1 dataset is returned, where the user mark > has ADMIN permissions. > 6. If gdsPermission is not passed in query-param or if value of gdsPermission > is invalid, all the datasets are returned even to which the current logged in > user does not have ACL permission. > > > Thanks, > > Subhrat Chaudhary > >
