----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73576/#review223472 -----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java Line 203 (original), 203 (patched) <https://reviews.apache.org/r/73576/#comment312555> if matchedRepository contains at lease one policy that allows the user delegated-admin privilege for any accessType i.e., allowedAccesses is not null, this method will return true. Is this desired? It might be simpler to handle empty accessTypes before entering the 'for' loop at #196: if (CollectionUtils.isEmpty(accessTypes)) { ret = false; } else { for (RangerPolicyEvaluator evaluator : matchedRepository.getPolicyEvaluators()) { .. } } - Madhan Neethiraj On Sept. 9, 2021, 9:29 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73576/ > ----------------------------------------------------------- > > (Updated Sept. 9, 2021, 9:29 p.m.) > > > Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, > and Velmurugan Periasamy. > > > Bugs: RANGER-3404 > https://issues.apache.org/jira/browse/RANGER-3404 > > > Repository: ranger > > > Description > ------- > > From a user this was created by: > -created new regular user in ranger with no groups or anything. > -that user can see policies that he shouldn't (only ones with just delegate > admin rights). > -If a policy has a delegate admin, this user can see and edit it, but cannot > add more permissions to the policy. Also, user can create a new policy, but > it is only with no permissions and for delegating admin to other users - > again with no permissions. > -If policy has anything on top of delegate admin, then the user gets denied > properly. > > Added user/group/role check to fix the issue. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > 9f0abf2dd > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java > 8f2d3f1a7 > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > 2eef20b15 > > > Diff: https://reviews.apache.org/r/73576/diff/1/ > > > Testing > ------- > > Verified that delegate-admin processing works as expected in a private > cluster. > Passed all unit tests. > > > Thanks, > > Abhay Kulkarni > >
