----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73576/#review223498 -----------------------------------------------------------
Ship it! Ship It! - Madhan Neethiraj On Sept. 9, 2021, 9:29 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73576/ > ----------------------------------------------------------- > > (Updated Sept. 9, 2021, 9:29 p.m.) > > > Review request for ranger, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, > and Velmurugan Periasamy. > > > Bugs: RANGER-3404 > https://issues.apache.org/jira/browse/RANGER-3404 > > > Repository: ranger > > > Description > ------- > > From a user this was created by: > -created new regular user in ranger with no groups or anything. > -that user can see policies that he shouldn't (only ones with just delegate > admin rights). > -If a policy has a delegate admin, this user can see and edit it, but cannot > add more permissions to the policy. Also, user can create a new policy, but > it is only with no permissions and for delegating admin to other users - > again with no permissions. > -If policy has anything on top of delegate admin, then the user gets denied > properly. > > Added user/group/role check to fix the issue. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java > 9f0abf2dd > > agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyItemEvaluator.java > 8f2d3f1a7 > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > 2eef20b15 > > > Diff: https://reviews.apache.org/r/73576/diff/1/ > > > Testing > ------- > > Verified that delegate-admin processing works as expected in a private > cluster. > Passed all unit tests. > > > Thanks, > > Abhay Kulkarni > >
