Abhay Kulkarni created RANGER-2642:
--------------------------------------
Summary: Grant/Revoke REST invocations by non-service users should
not specify resource owner
Key: RANGER-2642
URL: https://issues.apache.org/jira/browse/RANGER-2642
Project: Ranger
Issue Type: Bug
Components: Ranger
Affects Versions: master
Reporter: Abhay Kulkarni
Assignee: Abhay Kulkarni
Fix For: master
If Grant/Revoke REST API is invoked by a user which is not a admin or not
listed in policy.grantrevoke.auth.users config parameter value, then resource
being granted permission to should not specify ownership information.
Otherwise, such user may be able to modify a resource for which it does not
have delegated-admin privilege.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
