Re: Review Request 57018: RANGER-1409 : User role get deleted from table when he tries to update his role to a restricted role
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/57018/#review167000 --- Ship it! Ship It! - Velmurugan Periasamy On Feb. 24, 2017, 9:02 a.m., Pradeep Agrawal wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/57018/ > --- > > (Updated Feb. 24, 2017, 9:02 a.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, > Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-1409 > https://issues.apache.org/jira/browse/RANGER-1409 > > > Repository: ranger > > > Description > --- > > **Problem Statement:** User role get deleted from x_portal_user_role table > and login does not work when he tries to update his role to a restricted role > for his profile by using Post method of API /service/users/ . > > **Proposed solution:** User's new requested role should be validated and if > requested role is invalid then server should return error message. > > **Allowed Roles:** > User having role 'ROLE_SYS_ADMIN' can change his role to 'ROLE_USER' > User having role 'ROLE_KEY_ADMIN' can change his role to 'ROLE_USER' > User having role 'ROLE_USER' should not able to change his role to any other > role. > > > Diffs > - > > security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 6eabc89 > > Diff: https://reviews.apache.org/r/57018/diff/ > > > Testing > --- > > **Steps performed on running Ranger admin node without applying the patch :** > *Request :* > curl -i --header "Accept:application/json" -H "Content-Type:application/json" > --user rangerusersync:rangerusersync -X PUT > http://localhost:6080/service/users -d > '{"id":2,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync > > Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource > Based > Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId": 2,"isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag Based Policies"}],"groupPermissions":[],"password":"","profileImageGId":"","emailAddress":"","isTestUser":"","isRegistered":"","isInternal":"","gender":"","timeZone":"","oldPassword":"","newPassword":"","reEnterPassword":""}' > > > *Response:* > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > Set-Cookie: RANGERADMINSESSIONID=6594B722959628DE9E2BBF6E85E440AB; Path=/; > HttpOnly > X-Frame-Options: DENY > Content-Type: application/json > Transfer-Encoding: chunked > Date: Fri, 24 Feb 2017 06:05:08 GMT > > {"id":2,"createDate":null,"updateDate":null,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync > > Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource > Based > Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":2,"isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDa te":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag Based Policies"}],"groupPermissions":[]} > > *Observation :* After above request it was observed that 'rangerusersync' > role was deleted from x_portal_user_role and 'rangerusersync' login was not > working. > > **Steps performed with
Review Request 57018: RANGER-1409 : User role get deleted from table when he tries to update his role to a restricted role
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/57018/ --- Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy. Bugs: RANGER-1409 https://issues.apache.org/jira/browse/RANGER-1409 Repository: ranger Description --- **Problem Statement:** User role get deleted from x_portal_user_role table and login does not work when he tries to update his role to a restricted role for his profile by using Post method of API /service/users/ . **Proposed solution:** User's new requested role should be validated and if requested role is invalid then server should return error message. **Allowed Roles:** User having role 'ROLE_SYS_ADMIN' can change his role to 'ROLE_USER' User having role 'ROLE_KEY_ADMIN' can change his role to 'ROLE_USER' User having role 'ROLE_USER' should not able to change his role to any other role. Diffs - security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java 6eabc89 Diff: https://reviews.apache.org/r/57018/diff/ Testing --- **Steps performed on running Ranger admin node without applying the patch :** *Request :* curl -i --header "Accept:application/json" -H "Content-Type:application/json" --user rangerusersync:rangerusersync -X PUT http://localhost:6080/service/users -d '{"id":2,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource Based Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":2, "isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag Based Policies"}],"groupPermissions":[],"password":"","profileImageGId":"","emailAddress":"","isTestUser":"","isRegistered":"","isInternal":"","gender":"","timeZone":"","oldPassword":"","newPassword":"","reEnterPassword":""}' *Response:* HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: RANGERADMINSESSIONID=6594B722959628DE9E2BBF6E85E440AB; Path=/; HttpOnly X-Frame-Options: DENY Content-Type: application/json Transfer-Encoding: chunked Date: Fri, 24 Feb 2017 06:05:08 GMT {"id":2,"createDate":null,"updateDate":null,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync Admin123","userSource":0,"userRoleList":["ROLE_KEY_ADMIN"],"userPermList":[{"id":6,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":3,"isAllowed":1,"userName":"rangerusersync","moduleName":"Reports"},{"id":7,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":1,"isAllowed":1,"userName":"rangerusersync","moduleName":"Resource Based Policies"},{"id":8,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":4,"isAllowed":1,"userName":"rangerusersync","moduleName":"Audit"},{"id":9,"createDate":"2017-02-22T09:51:23Z","updateDate":"2017-02-22T09:51:23Z","userId":2,"moduleId":2,"isAllowed":1,"userName":"rangerusersync","moduleName":"Users/Groups"},{"id":10,"createDate":"2017-02-22T09:51:23Z","updateDate ":"2017-02-22T09:51:23Z","userId":2,"moduleId":6,"isAllowed":1,"userName":"rangerusersync","moduleName":"Tag Based Policies"}],"groupPermissions":[]} *Observation :* After above request it was observed that 'rangerusersync' role was deleted from x_portal_user_role and 'rangerusersync' login was not working. **Steps performed with patch :** *Request :* curl -i --header "Accept:application/json" -H "Content-Type:application/json" --user rangerusersync:rangerusersync -X PUT http://localhost:6080/service/users -d '{"id":2,"loginId":"rangerusersync","status":1,"firstName":"rangerusersync","lastName":"Admin123","publicScreenName":"rangerusersync