-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/
-----------------------------------------------------------
Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja
Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-3462
https://issues.apache.org/jira/browse/RANGER-3462
Repository: ranger
Description
-------
Steps to reproduce the issue:
Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and
charlie has user role.
Create an HDFS policy with name "test-delegate-admin" as alice. In that policy
there 2 policy items; one for bob, and the other for alice with RWX permissions
with "Delegate Admin".
Log in as bob, and edited the policy item for bob: removed Write permission.
After saving the policy bob is not able to see to policy anymore. It only
becomes visible after the Write permission is restored.
Fix involves:
1. When a policy is updated, the policy-items are segregated based on users
specified in the policy-item.
2. For admin users, updates to permissions are not checked.
3. For the user/group/role updating the policy, only admin permission is
checked in all delegated-admin policies.
4. For other users all requested permissions are checked against other
delegated-admin policies.
Diffs
-----
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java
e2a0884a6
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java
a6f0a1a2a
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
090384b7b
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
3cd289cc2
security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 7fdda9a1e
Diff: https://reviews.apache.org/r/73627/diff/1/
Testing
-------
Verified the fix by testing the repro scenario outlined above.
Passed all unit tests.
Thanks,
Abhay Kulkarni
