Re: Review Request 39122: RANGER-688 : Handle scenario where ids of XUser and XPortalUser are not in sync

Wed, 14 Oct 2015 10:42:41 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39122/
-----------------------------------------------------------

(Updated Oct. 14, 2015, 10:27 a.m.)


Review request for ranger, Alok Lal, Don Bosco Durai, Abhay Kulkarni, Madhan 
Neethiraj, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.


Changes
-------

Updated patch as per Madhan's recommendation


Bugs: RANGER-688
    https://issues.apache.org/jira/browse/RANGER-688


Repository: ranger


Description
-------

*Current Implementation:*

x_user_module_perm.userId refers to x_portal_user.id but while 
assigning/revoking permissions using permission model, UI sends userId of 
x_user table.
So this is a bug in current implementation because UI sends x_user.id and 
server assumes that it's x_portal_user.id and will create permission.
When IDs of x_user and x_portal_user will not be in sync at that time this may 
cause a serious issue.

*Fix provided in patch:*

UI will always have x_user/s but on server side x_portal_user/s required. So 
now we can't expect UI to send x_portal_user.id in userPermission object so in 
patch what we have done is:
Let UI send x_user.id in userPermission object but on server side it will be 
mapped to x_portal_user.id and same when UI is reading permissions, let 
database return x_portal_user.id that will be mapped to x_user.id. 
Due to this UI remains as it is and also, we don't need to change table 
structure of x_user_module_perm.


Diffs (updated)
-----

  security-admin/scripts/setup.sh 9710706ed5147d572dd988eaf7db5e757a8338f2 
  security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 
b86087773c97770a96ee62fa817b10615be08bab 
  security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java 
59e55f3e1db02f1fdd2d03dd22183929b1173027 
  security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java 
d3467f86aefccca9b0387e382628b95e4466eecd 
  security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java 
088759469608ab45e3ad3341ad2bf6558a30f5d9 
  security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java 
e10dc14fdcb58265467aa02d0a9b9b2aea1040ad 
  
security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java
 f0aa938dd918124e050ee54a3dcc64e86e3f5236 
  
security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java
 3ff9c8d0ac070032089bcbc9f5c3c33c401b30b3 
  
security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java
 59c082d2760acc8bd296b29497ab763cbb97c407 
  security-admin/src/main/resources/META-INF/jpa_named_queries.xml 
0370e9abe60582152f6d71ac8e0ed8312e4f2e7f 

Diff: https://reviews.apache.org/r/39122/diff/


Testing
-------

Tested by creating a XPOrtalUser user using curl command and then for a new 
user, assigned permissions to check if permissions are not messed up.


Thanks,

Gautam Borad

Reply via email to