> On Sept. 14, 2015, 10:27 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java, line 158 > > <https://reviews.apache.org/r/37943/diff/5/?file=1072392#file1072392line158> > > > > With addition of checkAdminAccess(), this method is callable only by > > admin-user. Please confirm that this method, and other places where > > checkAdminAccess() is added, are not useed by UgSync.
Usersync uses user `rangerusersync` which has role ROLE_SYS_ADMIN. So this will work as it is. > On Sept. 14, 2015, 10:27 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java, line 51 > > <https://reviews.apache.org/r/37943/diff/5/?file=1072393#file1072393line51> > > > > Who uses APIs *XTrxLog() APIs? It looks like only searchXAccessAudits() > > and getXAccessAuditSearchCount() are used (from XAuditREST.java). If other > > methods are not used, we should simply remove them from REST/Mgr/..and all > > layers. TrxLog will never get generated using this APIs, and that is expected. We will remove this unused APIs in upcoming patch. > On Sept. 14, 2015, 10:27 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java, line 826 > > <https://reviews.apache.org/r/37943/diff/5/?file=1072394#file1072394line826> > > > > Why is this restricted to admin-access? Shouldn't an user with > > Users/Groups permission be able to access this API? Please review other > > APIs here for similar restriction. No, User with permission on User/Groups tab can only view users and groups. Cannot perform wirtable operations i.e create/update/delete > On Sept. 14, 2015, 10:27 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java, > > line 80 > > <https://reviews.apache.org/r/37943/diff/5/?file=1072406#file1072406line80> > > > > Consider retrieving permissions for the current user during log and > > storing it in UserSession. This will save from having to run DB queries for > > every REST API call, to check the permissions. This one will be covered in next patch, we can track this one in separate JIRA. > On Sept. 14, 2015, 10:27 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/resources/META-INF/jpa_named_queries.xml, line 544 > > <https://reviews.apache.org/r/37943/diff/5/?file=1072410#file1072410line544> > > > > If this query is not used, please remove. This query is being used in XXModuleDefDao.java - Gautam ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/37943/#review98919 ----------------------------------------------------------- On Sept. 15, 2015, 11:49 a.m., Gautam Borad wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/37943/ > ----------------------------------------------------------- > > (Updated Sept. 15, 2015, 11:49 a.m.) > > > Review request for ranger, Alok Lal, Don Bosco Durai, Madhan Neethiraj, > Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy. > > > Bugs: RANGER-630 > https://issues.apache.org/jira/browse/RANGER-630 > > > Repository: ranger > > > Description > ------- > > Make data access consistent across REST API and UI. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 939ddc2 > security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java d9812f9 > security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 700caff > security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java > 9f5abfb > security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java > 611eaf8 > security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java e5de160 > security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java > 059f787 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 3d2e8b0 > security-admin/src/main/java/org/apache/ranger/rest/UserREST.java a9d0059 > security-admin/src/main/java/org/apache/ranger/rest/XAuditREST.java 531f395 > security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java 1c0f9fc > security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 93980b4 > > security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java > PRE-CREATION > > security-admin/src/main/java/org/apache/ranger/service/XAuditMapService.java > 1f48c86 > security-admin/src/main/java/org/apache/ranger/service/XPermMapService.java > 7e5eb10 > > security-admin/src/main/java/org/apache/ranger/service/XResourceService.java > fa6679a > security-admin/src/main/resources/META-INF/jpa_named_queries.xml 7761756 > security-admin/src/main/resources/conf.dist/security-applicationContext.xml > a648809 > security-admin/src/test/java/org/apache/ranger/audit/TestAuditQueue.java > 021c49a > security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java e18e51c > security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java > bb74bb8 > security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java > e7324a1 > > Diff: https://reviews.apache.org/r/37943/diff/ > > > Testing > ------- > > 1) Tested on Ranger UI working of permission model. > 2) Test REST calls to reflect access conrol based on Permission model. > 3) Checked cases like revoking access to 'user1' (having user role) from > Audit tab (using permission model) and making curl call to Audit tab's REST > APIs. > > > Thanks, > > Gautam Borad > >
