[
https://issues.apache.org/jira/browse/RANGER-443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15296138#comment-15296138
]
Pradeep Agrawal commented on RANGER-443:
----------------------------------------
Tried below mention things on latest code of master branch:
1. Created user 'testuser1'
2. Provided permission on User-Group Module to user 'testuser1' , row id
generated for this entry in x_user_module_perm table was 27.
3. Removed permission of user 'testuser1' from UI, which changed the
is_allowed column value from 1 to 0.
4. To remove the permission entry from table call delete REST mention below.
curl -i -u admin:admin --header "Accept:application/json" -H
"Content-Type:application/json" -X DELETE
http://localhost:8080/security-admin-web/service/xusers/permission/user/27
5. Now tried to access the permission id 27 from user having 'User' role and
'Admin' role.
a) Request from user(testuser1) having 'User' role : curl -i -u
testuser1:user1234 --header "Accept:application/json" -H
"Content-Type:application/json" -X GET
http://localhost:8080/security-admin-web/service/xusers/permission/user/27
Response Code received : 403 Forbidden
b) Request from user(admin) having 'Admin' role : curl -i -u admin:admin
--header "Accept:application/json" -H "Content-Type:application/json" -X GET
http://localhost:8080/security-admin-web/service/xusers/permission/user/27
Response Code received : 404 Not Found
Conclusion : Permission tab module access is restricted to users having 'Admin'
role. @PreAuthorize annotation is executed before processing called REST API.
Since permission tab related operation(allowing/removing any user/group from
any module) is restricted to only 'Admin' role; normal user shall always get
response code 403.
> ncorrect http status code for missing ranger portal permission
> --------------------------------------------------------------
>
> Key: RANGER-443
> URL: https://issues.apache.org/jira/browse/RANGER-443
> Project: Ranger
> Issue Type: Bug
> Components: admin
> Affects Versions: 0.5.0
> Reporter: Dilli Arumugam
> Assignee: Pradeep Agrawal
> Priority: Minor
>
> Created user module permission.
> Deleted the permission.
> Tried to get the permission.
> curl -i -v -u permtestuser1:permtestuser1 -X GET -H "Accept:
> application/json" http://localhost:6080/service/xusers/permission/user/200
> About to connect() to localhost port 6080 (#0)
> Trying ::1... connected
> Connected to localhost (::1) port 6080 (#0)
> Server auth using Basic with user 'permtestuser1'
> > GET /service/xusers/permission/user/200 HTTP/1.1
> > Authorization: Basic cGVybXRlc3R1c2VyMTpwZXJtdGVzdHVzZXIx
> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
> > NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> > Host: localhost:6080
> > Accept: application/json
> >
> < HTTP/1.1 400 Bad Request
> HTTP/1.1 400 Bad Request
> < Server: Apache-Coyote/1.1
> Server: Apache-Coyote/1.1
> < Set-Cookie: JSESSIONID=B33F499239B04ACAD15D6ADD38558AC0; Path=/; HttpOnly
> Set-Cookie: JSESSIONID=B33F499239B04ACAD15D6ADD38558AC0; Path=/; HttpOnly
> < Content-Type: application/json
> Content-Type: application/json
> < Transfer-Encoding: chunked
> Transfer-Encoding: chunked
> < Date: Mon, 27 Apr 2015 19:10:46 GMT
> Date: Mon, 27 Apr 2015 19:10:46 GMT
> < Connection: close
> Connection: close
> <
> Closing connection #0
> Unknown macro: {"statusCode"}
> Please note the status code
> HTTP/1.1 400 Bad Request
> It should return
> HTTP/1.1 404 Not Found
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
