Review Request 50118: RANGER-1090 : Revoke command with grant option does not disable delegated admin permission for users/groups in the corresponding policy

Mon, 18 Jul 2016 23:08:17 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/50118/
-----------------------------------------------------------

Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay 
Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, 
and Velmurugan Periasamy.


Bugs: RANGER-1090
    https://issues.apache.org/jira/browse/RANGER-1090


Repository: ranger


Description
-------

**Note:** This review request is part of RR-49795(RANGER-1090)

**Problem Statement :**
Revoke command with 'revoke grant option' does not disable delegated admin 
permission for users/groups in the corresponding policy.

Currently Revoke request deletes the applicable policy item and creates two 
additional policy item of 'ALLOW', 'DENY_EXCEPTIONS' type in x_policy_item 
table. Reference entries are also getting created in x_policy_item_access and 
x_policy_item_user_perm/x_policy_item_group_perm tables. This should not happen 
in case of revoke request.

**Proposed Solution :**
Removed the implementation which was creating additional policy items and 
featured the revoke request call only for 'Allow' policy type; From 
processRevokeRequest() called the required/available method to remove policy 
item access list and update the existing policy.


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java 
d794565 

Diff: https://reviews.apache.org/r/50118/diff/


Testing
-------

**Case-1 :** Upgrade Case : Validated Revoke request(with patch) for resource 
where policy was created using grant command in previous version of 
Ranger(0.6). revoke command was not executed through previous version of 
Ranger(0.6) for same resource.
**Case-2 :** Upgrade Case : Validated Revoke request(with patch) for resource 
where policy was created using grant command in previous version of 
Ranger(0.6). revoke command was also executed through previous version of 
Ranger(0.6) for same resource.
**Case-3 :** Fresh installation case : Validated Grant/Revoke request(with 
patch) for resource where policy for the resource does not exist.


Thanks,

Pradeep Agrawal

Reply via email to