----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/68096/#review206579 -----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java Line 3115 (original), 3118 (patched) <https://reviews.apache.org/r/68096/#comment289572> Removed: RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService()); Reason : Line-3122 is calling hasAdminAccess(policy, userName, userGroups) method. Since hasAdminAccess() method is calling the RangerPolicyEngine policyEngine = getDelegatedAdminPolicyEngine(policy.getService()) so I feel the same can be removed from here. security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java Line 3440 (original), 3441 (patched) <https://reviews.apache.org/r/68096/#comment289573> Same as my previous comment. - Pradeep Agrawal On July 29, 2018, 12:07 p.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/68096/ > ----------------------------------------------------------- > > (Updated July 29, 2018, 12:07 p.m.) > > > Review request for ranger, Ankita Sinha, deepak sharma, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, suja s, and Velmurugan Periasamy. > > > Bugs: RANGER-2168 > https://issues.apache.org/jira/browse/RANGER-2168 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** Currently only user with admin role or a delegated > admin user can create the policy. We can possibly have a service admin user > who can be allowed to create policy. Such users can be configured in the > service config itself and can be removed by admin anytime. > > **Proposed Solution:** > Allow admin/keyadmin role users to add a custom service config property > 'service.admin.users' through service page. > Users provided in 'service.admin.users' can be internal or external and can > have any role. > Users provided in 'service.admin.users' should able to > create/update/delete/view policies of that ranger service. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 8efc950ce > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > e4449df2e > > > Diff: https://reviews.apache.org/r/68096/diff/1/ > > > Testing > ------- > > **Steps Performed:** > Created an internal user testuser in the Ranger admin. > Added a hive service 'hivedev' in Ranger. > > **Action-1**: Logged in from 'testuser' and tried to create a policy > 'testpolicy' in 'hivedev' service. > **Expected Behaviour**: Policy creation should fail. > **Actual Behaviour**: Policy creation failed. > > **Action-2.1**: Logged in from ranger admin user and added a custom property > 'service.admin.users' in 'hivedev' service and provided value 'testuser' in > the given text box. Saved the 'hivedev' service. > **Action-2.2**: Logged in from 'testuser' and tried to create a policy > 'testpolicy' in 'hivedev' service. > **Expected Behaviour**: Policy creation should successful. > **Actual Behaviour**: Policy creation finished successfully. > > Tested Policy updation and deletion which also executed successfully. > > **Action-3.1**: Logged in from ranger admin user and removed custom property > 'service.admin.users' from 'hivedev' service. Saved the 'hivedev' service. > **Action-3.2**: Logged in from 'testuser' and tried to create a policy > 'testpolicy1' in 'hivedev' service. > **Expected Behaviour**: Policy creation should fail. > **Actual Behaviour**: Policy creation failed. > > > Thanks, > > Pradeep Agrawal > >
