Review Request 74765: RANGER-4599: Prevent admin users from performing CRUD operations on KMS service repos

Mon, 11 Dec 2023 19:41:09 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74765/
-----------------------------------------------------------

Review request for ranger, Mehul Parikh and Pradeep Agrawal.


Bugs: RANGER-4599
    https://issues.apache.org/jira/browse/RANGER-4599


Repository: ranger


Description
-------

KMS servicedefs and KMS policies can only be accessed by keyadmin users, and 
ideally, KMS services should also be accessible only by keyadmin users.
But currently, it is possible for admin users to perform CRUD operations on KMS 
service repos.
This fix addresses the issue, and makes sure that only keyadmin users can 
access KMS services


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 
136a1309b 


Diff: https://reviews.apache.org/r/74765/diff/1/


Testing
-------

1. Fetched the list of services using /plugins/services and 
/public/v2/api/service API endpoint, using admin user, and ensured that the kms 
service repos are not present in the response. Fetched the list of services 
using keyadmin user, and ensured that only kms services are returned
2. Tried fetching the KMS service using id for admin user, and ensured that the 
KMS service is not returned. Ensured that the KMS service is returned for 
keyadmin user
   APIs tested:-
   a. /plugins/services/{service_id}
   b. /public/v2/api/service/{service_id}
   Also tested and verified that non KMS service repos are accessible by admin 
users for the above mentioned APIs
3. Tried a PUT request to KMS service repos, and ensured that the request is 
denied for admin users and allowed for keyadmin users.
   Also ensured that PUT request to non KMS service repos are allowed for admin 
users and denied for keyadmin users
4. Tried a DELETE request for KMS service repo using id, and ensured that the 
request is denied for admin user, and allowed for keyadmin user.
   Tried a DELETE request for non KMS service repo using id, and ensured that 
the request is allowed for admin user, and denied for keyadmin user.


Thanks,

Abhishek Patil

Reply via email to