Re: Review Request 74749: RANGER-4534 : Use of Query param GdsPermission with value NONE gives incorrect response for GDS GET APIs

Madhan Neethiraj Tue, 28 Nov 2023 13:14:49 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74749/#review226017
-----------------------------------------------------------





security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
Line 851 (original), 851 (patched)
<https://reviews.apache.org/r/74749/#comment314367>

    This would result in an user being able to access GDS objects in which they 
have no permission i.e. GdsPermission.NONE. This doesn't seem correct. Users 
having no permission should not be allowed to retrieve the object. I suggest 
replacing #851 with:
    
      ret = false;


- Madhan Neethiraj


On Nov. 21, 2023, 12:03 p.m., Prashant Satam wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74749/
> -----------------------------------------------------------
> 
> (Updated Nov. 21, 2023, 12:03 p.m.)
> 
> 
> Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, 
> Monika Kachhadiya, Subhrat Chaudhary, and Vanita Ubale.
> 
> 
> Bugs: RANGER-4534
>     https://issues.apache.org/jira/browse/RANGER-4534
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> When we use GDS GET APIs for (dataset/datashare/project) and pass query param 
> gdsPermission=NONE we get all the objects in response which is not expected
> 
> Example : 
> 
> When the param gdsPermission=NONE is passed in request, in the GET APIs e.g. 
> GET /gds/dataset, whole dataset list is returned in response, even if the 
> calling user is not added in the ACLs in any of the datasets.
> 
> 
> Diffs
> -----
> 
>   
> security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java
>  6c55fd029 
> 
> 
> Diff: https://reviews.apache.org/r/74749/diff/1/
> 
> 
> Testing
> -------
> 
> Steps to Test
> 1)Create Test-User-1
> 2)Create 2 datasets each with ACL permission for Test-User-1 as NONE,VIEW
> 3)Use GET API service/gds/dataset with query param as gdsPermission=NONE
> 4)In response you will get 2 datasets only where Test-User-1 has NONE 
> permission in ACL
> 
> 
> Thanks,
> 
> Prashant Satam
> 
>

Re: Review Request 74749: RANGER-4534 : Use of Query param GdsPermission with value NONE gives incorrect response for GDS GET APIs

Reply via email to