Re: Review Request 57018: RANGER-1409 : User role get deleted from table when he tries to update his role to a restricted role
---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57018/#review167000
---
Ship it!
Ship It!
- Velmurugan Periasamy
On Feb. 24, 2017, 9:02 a.m., Pradeep Agrawal wrote:
>
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/57018/
> ---
>
> (Updated Feb. 24, 2017, 9:02 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay
> Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj,
> Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-1409
> https://issues.apache.org/jira/browse/RANGER-1409
>
>
> Repository: ranger
>
>
> Description
> ---
>
> **Problem Statement:** User role get deleted from x_portal_user_role table
> and login does not work when he tries to update his role to a restricted role
> for his profile by using Post method of API /service/users/ .
>
> **Proposed solution:** User's new requested role should be validated and if
> requested role is invalid then server should return error message.
>
> **Allowed Roles:**
> User having role 'ROLE_SYS_ADMIN' can change his role to 'ROLE_USER'
> User having role 'ROLE_KEY_ADMIN' can change his role to 'ROLE_USER'
> User having role 'ROLE_USER' should not able to change his role to any other
> role.
>
>
> Diffs
> -
>
> security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 6eabc89
>
> Diff: https://reviews.apache.org/r/57018/diff/
>
>
> Testing
> ---
>
> **Steps performed on running Ranger admin node without applying the patch :**
> *Request :*
> curl -i --header "Accept:application/json" -H "Content-Type:application/json"
> --user rangerusersync:rangerusersync -X PUT
> http://localhost:6080/service/users -d
> '{"id":2,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync
>
> Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource
> Based
> Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":
2,"isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag
Based
Policies"}],"groupPermissions":[],"password":"","profileImageGId":"","emailAddress":"","isTestUser":"","isRegistered":"","isInternal":"","gender":"","timeZone":"","oldPassword":"","newPassword":"","reEnterPassword":""}'
>
>
> *Response:*
> HTTP/1.1 200 OK
> Server: Apache-Coyote/1.1
> Set-Cookie: RANGERADMINSESSIONID=6594B722959628DE9E2BBF6E85E440AB; Path=/;
> HttpOnly
> X-Frame-Options: DENY
> Content-Type: application/json
> Transfer-Encoding: chunked
> Date: Fri, 24 Feb 2017 06:05:08 GMT
>
> {"id":2,"createDate":null,"updateDate":null,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync
>
> Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource
> Based
> Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":2,"isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDa
te":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag
Based Policies"}],"groupPermissions":[]}
>
> *Observation :* After above request it was observed that 'rangerusersync'
> role was deleted from x_portal_user_role and 'rangerusersync' login was not
> working.
>
> **Steps performed with
Review Request 57018: RANGER-1409 : User role get deleted from table when he tries to update his role to a restricted role
---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57018/
---
Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay
Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj,
Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-1409
https://issues.apache.org/jira/browse/RANGER-1409
Repository: ranger
Description
---
**Problem Statement:** User role get deleted from x_portal_user_role table and
login does not work when he tries to update his role to a restricted role for
his profile by using Post method of API /service/users/ .
**Proposed solution:** User's new requested role should be validated and if
requested role is invalid then server should return error message.
**Allowed Roles:**
User having role 'ROLE_SYS_ADMIN' can change his role to 'ROLE_USER'
User having role 'ROLE_KEY_ADMIN' can change his role to 'ROLE_USER'
User having role 'ROLE_USER' should not able to change his role to any other
role.
Diffs
-
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 6eabc89
Diff: https://reviews.apache.org/r/57018/diff/
Testing
---
**Steps performed on running Ranger admin node without applying the patch :**
*Request :*
curl -i --header "Accept:application/json" -H "Content-Type:application/json"
--user rangerusersync:rangerusersync -X PUT
http://localhost:6080/service/users -d
'{"id":2,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync
Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource
Based
Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":2,
"isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag
Based
Policies"}],"groupPermissions":[],"password":"","profileImageGId":"","emailAddress":"","isTestUser":"","isRegistered":"","isInternal":"","gender":"","timeZone":"","oldPassword":"","newPassword":"","reEnterPassword":""}'
*Response:*
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: RANGERADMINSESSIONID=6594B722959628DE9E2BBF6E85E440AB; Path=/;
HttpOnly
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Fri, 24 Feb 2017 06:05:08 GMT
{"id":2,"createDate":null,"updateDate":null,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync
Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource
Based
Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":2,"isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDate
":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag
Based Policies"}],"groupPermissions":[]}
*Observation :* After above request it was observed that 'rangerusersync' role
was deleted from x_portal_user_role and 'rangerusersync' login was not working.
**Steps performed with patch :**
*Request :*
curl -i --header "Accept:application/json" -H "Content-Type:application/json"
--user rangerusersync:rangerusersync -X PUT
http://localhost:6080/service/users -d
'{"id":2,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync
