Review Request 74749: RANGER-4534 : Use of Query param GdsPermission with value NONE gives incorrect response for GDS GET APIs

Prashant Satam Tue, 21 Nov 2023 04:05:37 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74749/
-----------------------------------------------------------


Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, Monika 
Kachhadiya, Subhrat Chaudhary, and Vanita Ubale.


Bugs: RANGER-4534
    https://issues.apache.org/jira/browse/RANGER-4534


Repository: ranger


Description
-------

When we use GDS GET APIs for (dataset/datashare/project) and pass query param 
gdsPermission=NONE we get all the objects in response which is not expected

Example : 

When the param gdsPermission=NONE is passed in request, in the GET APIs e.g. 
GET /gds/dataset, whole dataset list is returned in response, even if the 
calling user is not added in the ACLs in any of the datasets.


Diffs
-----

  
security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
 6c55fd029 


Diff: https://reviews.apache.org/r/74749/diff/1/


Testing
-------

Steps to Test
1)Create Test-User-1
2)Create 2 datasets each with ACL permission for Test-User-1 as NONE,VIEW
3)Use GET API service/gds/dataset with query param as gdsPermission=NONE
4)In response you will get 2 datasets only where Test-User-1 has NONE 
permission in ACL


Thanks,

Prashant Satam

Review Request 74749: RANGER-4534 : Use of Query param GdsPermission with value NONE gives incorrect response for GDS GET APIs

Reply via email to