-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73576/
-----------------------------------------------------------
Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu,
and Velmurugan Periasamy.
Bugs: RANGER-3404
https://issues.apache.org/jira/browse/RANGER-3404
Repository: ranger
Description
-------
>From a user this was created by:
-created new regular user in ranger with no groups or anything.
-that user can see policies that he shouldn't (only ones with just delegate
admin rights).
-If a policy has a delegate admin, this user can see and edit it, but cannot
add more permissions to the policy. Also, user can create a new policy, but it
is only with no permissions and for delegating admin to other users - again
with no permissions.
-If policy has anything on top of delegate admin, then the user gets denied
properly.
Added user/group/role check to fix the issue.
Diffs
-----
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
9f0abf2dd
agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java
8f2d3f1a7
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
2eef20b15
Diff: https://reviews.apache.org/r/73576/diff/1/
Testing
-------
Verified that delegate-admin processing works as expected in a private cluster.
Passed all unit tests.
Thanks,
Abhay Kulkarni
