----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74749/#review226023 -----------------------------------------------------------
Ship it! Ship It! - Madhan Neethiraj On Nov. 29, 2023, 9:25 a.m., Prashant Satam wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74749/ > ----------------------------------------------------------- > > (Updated Nov. 29, 2023, 9:25 a.m.) > > > Review request for ranger, Anand Nadar, Ankita Sinha, Madhan Neethiraj, > Monika Kachhadiya, Subhrat Chaudhary, and Vanita Ubale. > > > Bugs: RANGER-4534 > https://issues.apache.org/jira/browse/RANGER-4534 > > > Repository: ranger > > > Description > ------- > > When we use GDS GET APIs for (dataset/datashare/project) and pass query param > gdsPermission=NONE we get all the objects in response which is not expected > > Example : > > When the param gdsPermission=NONE is passed in request, in the GET APIs e.g. > GET /gds/dataset, whole dataset list is returned in response, even if the > calling user is not added in the ACLs in any of the datasets. > > > Diffs > ----- > > > security-admin/src/main/java/org/apache/ranger/validation/RangerGdsValidator.java > 1cc87399b > > > Diff: https://reviews.apache.org/r/74749/diff/2/ > > > Testing > ------- > > Steps to Test > 1)Create Test-User-1 > 2)Create 2 datasets each with ACL permission for Test-User-1 as NONE,VIEW > 3)Use GET API service/gds/dataset with query param as gdsPermission=NONE > 4)Response will be empty > > > Thanks, > > Prashant Satam > >
