> On July 31, 2019, 3:40 p.m., Abhay Kulkarni wrote: > > security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java > > Line 1342 (original), 1342 (patched) > > <https://reviews.apache.org/r/71166/diff/4/?file=2158483#file2158483line1342> > > > > Please review this error message. For any failed permission check, it > > is always the same message. This is misleading.
this method is being called from service def api also. can we write:"User is not allowed to update service/service-def, only Admin can create/update/delete " + objType, > On July 31, 2019, 3:40 p.m., Abhay Kulkarni wrote: > > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > > Lines 805 (patched) > > <https://reviews.apache.org/r/71166/diff/4/?file=2158485#file2158485line811> > > > > Is it possible that session is null here? If so, then the check on line > > 806 > > bizUtil.hasAdminPermissions("services"); > > will not be made. Please review. > > > > Please check the same on line 827. ideally, session won't be null here but since code is calling getUserId() method of session object so i have added null check on the session as good coding practise. i thought that proposed change will work if we skip the admin check for the creator user then he can be allowed to delete the service even if he is not an admin user. another way to handle this use case is that we can add session null check at 803 line which shall cover line 805 and 827 also and we can remove 'session!=null' from line 805 and 827. let me know what shall be a better way to address the concern - Pradeep ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71166/#review216998 ----------------------------------------------------------- On July 31, 2019, 7:26 a.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71166/ > ----------------------------------------------------------- > > (Updated July 31, 2019, 7:26 a.m.) > > > Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh > Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-2518 > https://issues.apache.org/jira/browse/RANGER-2518 > > > Repository: ranger > > > Description > ------- > > **Problem Statement:** Current service admin user can not delete the ranger > service. > > **Proposed Solution:** > > As during service/repo creation, creator reference get added in added_by_id > field of x_service table. we can compare the logged in user id and service > creator id. if both matches then no need to check the admin permissions. This > will allow service creator user to delete the service. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java > 0ad7df2dd > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 84202335d > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > b06273cc5 > > security-admin/src/main/java/org/apache/ranger/service/XResourceService.java > 43a855e6d > > security-admin/src/main/java/org/apache/ranger/service/XUgsyncAuditInfoService.java > d613c700a > security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java > 34be7e914 > > > Diff: https://reviews.apache.org/r/71166/diff/4/ > > > Testing > ------- > > Built, Installed and started ranger with the patch. > Login from admin user. > Create a user 'testuser1' with 'admin' role > Logout from admin user and login from 'testuser1' > create hive service 'hivedev' > Logout from 'testuser1' user and login from 'admin' > Change the role of 'testuser1' user from 'admin' to 'user' > Logout from admin user > execute below curl command by using 'testuser1' user's credential > curl -i --header "Accept:application/json" -H "Content-Type: > application/json" -u testuser1:user1234 -X DELETE > 'http://172.22.111.117:6080/service/plugins/services/5' > > > **Expected behaviour:** > service should get deleted and return http response code 204 with no content. > > **Actual behaviour:** > Response received: > > HTTP/1.1 204 No Content > Set-Cookie: RANGERADMINSESSIONID=3F481200366A0823073FFE27FF982A84; Path=/; > HttpOnly > X-Frame-Options: DENY > X-XSS-Protection: 1; mode=block > Strict-Transport-Security: max-age=31536000; includeSubDomains > Content-Security-Policy: default-src 'none'; script-src 'self' > 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src > 'self' 'unsafe-inline';font-src 'self' > Cache-Control: no-cache, no-store, max-age=0, must-revalidate > Pragma: no-cache > Expires: 0 > X-Content-Type-Options: nosniff > Content-Type: application/json > Date: Thu, 25 Jul 2019 13:50:13 GMT > Server: Apache Ranger > > > Thanks, > > Pradeep Agrawal > >
