Re: Review Request 72626: RANGER-2881 : Delegate Admin user having role "user" able to create policy which has non-existing users/groups

Pradeep Agrawal Wed, 01 Jul 2020 06:27:53 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72626/#review221113
-----------------------------------------------------------





security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
Lines 1537 (patched)
<https://reviews.apache.org/r/72626/#comment309904>

    There are already several methods to check admin access in this class, not 
sure its good idea to have one more like this. 
    
    If you are going to keep this method then please review existing call to 
other check admin methods and see if any of them can be replaced with this.



security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
Lines 1543 (patched)
<https://reviews.apache.org/r/72626/#comment309903>

    1) Are you missing something here => "Operation" + " denied. LoggedInUser="
    
    2) Also do you want to print user id or user login id ?
    3)


- Pradeep Agrawal


On July 1, 2020, 7:05 a.m., Dineshkumar Yadav wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72626/
> -----------------------------------------------------------
> 
> (Updated July 1, 2020, 7:05 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Gautam Borad, Kishor Gollapalliwar, 
> Abhay Kulkarni, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Ranger user having role as "user" with delegate admin permission able to 
> create policy which has non-existing users/groups/roles in the specified 
> policy. 
> only admin users should be able to create policy with new users/groups/roles 
> on the fly creation of users/groups/roles.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/PolicyRefUpdater.java 
> 9ce481c63 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 
> 4fb21a094 
>   security-admin/src/main/java/org/apache/ranger/biz/RoleRefUpdater.java 
> ff8e2ba43 
> 
> 
> Diff: https://reviews.apache.org/r/72626/diff/1/
> 
> 
> Testing
> -------
> 
> Without patch  steps
>       1. Create user with role “user”
>       2. Give him delegate admin role.
>       3. Create policy using curl request where specified policy should 
> include non existing user/group.
>       4. It will be able to create the policy.
> 
> With patch same steps will give error “operation denied user/group specified 
> in policy does not exist in ranger admin.”
> 
> 
> Thanks,
> 
> Dineshkumar Yadav
> 
>

Re: Review Request 72626: RANGER-2881 : Delegate Admin user having role "user" able to create policy which has non-existing users/groups

Reply via email to