----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74749/#review225987 -----------------------------------------------------------
Ship it! Ship It! - Monika Kachhadiya On Nov. 21, 2023, 12:03 p.m., Prashant Satam wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74749/ > ----------------------------------------------------------- > > (Updated Nov. 21, 2023, 12:03 p.m.) > > > Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, > Monika Kachhadiya, Subhrat Chaudhary, and Vanita Ubale. > > > Bugs: RANGER-4534 > https://issues.apache.org/jira/browse/RANGER-4534 > > > Repository: ranger > > > Description > ------- > > When we use GDS GET APIs for (dataset/datashare/project) and pass query param > gdsPermission=NONE we get all the objects in response which is not expected > > Example : > > When the param gdsPermission=NONE is passed in request, in the GET APIs e.g. > GET /gds/dataset, whole dataset list is returned in response, even if the > calling user is not added in the ACLs in any of the datasets. > > > Diffs > ----- > > > security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java > 6c55fd029 > > > Diff: https://reviews.apache.org/r/74749/diff/1/ > > > Testing > ------- > > Steps to Test > 1)Create Test-User-1 > 2)Create 2 datasets each with ACL permission for Test-User-1 as NONE,VIEW > 3)Use GET API service/gds/dataset with query param as gdsPermission=NONE > 4)In response you will get 2 datasets only where Test-User-1 has NONE > permission in ACL > > > Thanks, > > Prashant Satam > >
