Review Request 54623: RANGER-1250 : If non-existing access-permissions are added through curl then permission module shows loading icon.

Pradeep Agrawal Tue, 13 Dec 2016 01:46:06 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/54623/
-----------------------------------------------------------


Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay 
Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, 
and Velmurugan Periasamy.


Bugs: RANGER-1250
    https://issues.apache.org/jira/browse/RANGER-1250


Repository: ranger


Description
-------

** Problem Statement : ** If we create a policy with non-existing permissions 
through curl then, it gets created successfully but has an impact on UI as 
permission module goes in the loading state.
Example:
in hive's row-level-filtering there is no 'update' permission in Access. If we 
create a policy with 'select' and 'update' in Access then it allows us to 
create a policy(returns response code 204) but ranger-ui permission module 
shows loading icon.

** Proposed Solution:** Proposed solution contain changes which shall validate 
whether provided access-permissions are allowed or not. If permissions are not 
allowed/invalid then create/update request shall fail with response code 400 
bad request.


Diffs
-----

  
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java
 279489d 

Diff: https://reviews.apache.org/r/54623/diff/


Testing
-------

**Steps performed(with patch)**
1. Installed and started Ranger admin.
2. tried to create row level filter policy with 'update' permission using REST 
: 

curl -i --header "Accept:application/json" -H "Content-Type:application/json" 
--user admin:admin -X POST 
http://localhost:8080/security-admin-web/service/plugins/policies -d 
'{"policyType":"2","name":"policy2","isEnabled":true,"isAuditEnabled":true,"description":"","resources":{"database":{"values":["db1"],"isRecursive":"","isExcludes":false},"table":{"values":["table1"],"isRecursive":"",";isExcludes":false}},"rowFilterPolicyItems":[{"users":["hive"],"accesses":[{"type":"update","isAllowed":true}]}],"service":"hivedev"}'

**Expected Result :** Policy creation should fail with appropriate error 
message.

**Actual Result :** Policy creation failed with following response :

HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Set-Cookie: RANGERADMINSESSIONID=F42CDCA50B714E240D5B17319D6458F0; 
Path=/security-admin-web/; HttpOnly
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 12 Dec 2016 05:32:07 GMT
Connection: close

{"statusCode":1,"msgDesc":"(0) Validation failure: error code[3022], 
reason[Invalid access type: access type=[update], valid access 
types=[[select]]], field[row filter policy item access type], subfield[null], 
type[semantically incorrect] "}


Thanks,

Pradeep Agrawal

Review Request 54623: RANGER-1250 : If non-existing access-permissions are added through curl then permission module shows loading icon.

Reply via email to