----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/54623/#review159547 -----------------------------------------------------------
agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java (line 347) <https://reviews.apache.org/r/54623/#comment230574> if a request object contains multiple invalid access types then we need to display all of them in the error response message. - Pradeep Agrawal On Dec. 13, 2016, 9:45 a.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/54623/ > ----------------------------------------------------------- > > (Updated Dec. 13, 2016, 9:45 a.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, > and Velmurugan Periasamy. > > > Bugs: RANGER-1250 > https://issues.apache.org/jira/browse/RANGER-1250 > > > Repository: ranger > > > Description > ------- > > ** Problem Statement : ** If we create a policy with non-existing permissions > through curl then, it gets created successfully but has an impact on UI as > permission module goes in the loading state. > Example: > in hive's row-level-filtering there is no 'update' permission in Access. If > we create a policy with 'select' and 'update' in Access then it allows us to > create a policy(returns response code 204) but ranger-ui permission module > shows loading icon. > > ** Proposed Solution:** Proposed solution contain changes which shall > validate whether provided access-permissions are allowed or not. If > permissions are not allowed/invalid then create/update request shall fail > with response code 400 bad request. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/model/validation/RangerPolicyValidator.java > 279489d > > Diff: https://reviews.apache.org/r/54623/diff/ > > > Testing > ------- > > **Steps performed(with patch)** > 1. Installed and started Ranger admin. > 2. tried to create row level filter policy with 'update' permission using > REST : > > curl -i --header "Accept:application/json" -H "Content-Type:application/json" > --user admin:admin -X POST > http://localhost:8080/security-admin-web/service/plugins/policies -d > '{"policyType":"2","name":"policy2","isEnabled":true,"isAuditEnabled":true,"description":"","resources":{"database":{"values":["db1"],"isRecursive":"","isExcludes":false},"table":{"values":["table1"],"isRecursive":"",";isExcludes":false}},"rowFilterPolicyItems":[{"users":["hive"],"accesses":[{"type":"update","isAllowed":true}]}],"service":"hivedev"}' > > **Expected Result :** Policy creation should fail with appropriate error > message. > > **Actual Result :** Policy creation failed with following response : > > HTTP/1.1 400 Bad Request > Server: Apache-Coyote/1.1 > Set-Cookie: RANGERADMINSESSIONID=F42CDCA50B714E240D5B17319D6458F0; > Path=/security-admin-web/; HttpOnly > X-Frame-Options: DENY > Content-Type: application/json > Transfer-Encoding: chunked > Date: Mon, 12 Dec 2016 05:32:07 GMT > Connection: close > > {"statusCode":1,"msgDesc":"(0) Validation failure: error code[3022], > reason[Invalid access type: access type=[update], valid access > types=[[select]]], field[row filter policy item access type], subfield[null], > type[semantically incorrect] "} > > > Thanks, > > Pradeep Agrawal > >
