> On Sept. 10, 2021, 1:36 a.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > > Line 203 (original), 203 (patched) > > <https://reviews.apache.org/r/73576/diff/1/?file=2252641#file2252641line207> > > > > if matchedRepository contains at lease one policy that allows the user > > delegated-admin privilege for any accessType i.e., allowedAccesses is not > > null, this method will return true. Is this desired? > > > > It might be simpler to handle empty accessTypes before entering the > > 'for' loop at #196: > > if (CollectionUtils.isEmpty(accessTypes)) { > > ret = false; > > } else { > > for (RangerPolicyEvaluator evaluator : > > matchedRepository.getPolicyEvaluators()) { > > .. > > } > > }
>> if matchedRepository contains at lease one policy that allows the user >> delegated-admin privilege for any accessType i.e., allowedAccesses is not >> null, this method will return true. Is this desired? Yes. That means that, collectively, the complete set of policies allow the user all accesses that are specified in the policy being created/updated. If empty access-types case is handled before entering the for-loop, as proposed, then user will not be able to see the policy where they are the designated delegated-admin (policy with only policy-item with empty access-types and delegated-admin flag checked). Also, this change will helpful, if in future Ranger needs to support a feature where a user can only be delegated-admin (but cannot access the resources). - Abhay ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73576/#review223472 ----------------------------------------------------------- On Sept. 9, 2021, 9:29 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73576/ > ----------------------------------------------------------- > > (Updated Sept. 9, 2021, 9:29 p.m.) > > > Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, > and Velmurugan Periasamy. > > > Bugs: RANGER-3404 > https://issues.apache.org/jira/browse/RANGER-3404 > > > Repository: ranger > > > Description > ------- > > From a user this was created by: > -created new regular user in ranger with no groups or anything. > -that user can see policies that he shouldn't (only ones with just delegate > admin rights). > -If a policy has a delegate admin, this user can see and edit it, but cannot > add more permissions to the policy. Also, user can create a new policy, but > it is only with no permissions and for delegating admin to other users - > again with no permissions. > -If policy has anything on top of delegate admin, then the user gets denied > properly. > > Added user/group/role check to fix the issue. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > 9f0abf2dd > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java > 8f2d3f1a7 > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > 2eef20b15 > > > Diff: https://reviews.apache.org/r/73576/diff/1/ > > > Testing > ------- > > Verified that delegate-admin processing works as expected in a private > cluster. > Passed all unit tests. > > > Thanks, > > Abhay Kulkarni > >
