> On Oct. 4, 2021, 7:57 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > > Line 196 (original), 212 (patched) > > <https://reviews.apache.org/r/73627/diff/1/?file=2253489#file2253489line212> > > > > If the requirement is to return true when current user has > > 'delegate-admin' for at least one permission listed in the policy, the only > > change needed will be to add following after #226: > > > > if (accessTypes.removeAll(allowedAccesses)) { > > ret = true; > > break; > > } > > > > No change should be needed in getAllAccessTypes() method - #199 above. > > Abhay Kulkarni wrote: > The requirement is not clear on this. It should not be possible for a > delegated-admin user to grant some other user more permissions than his own > permissions. Can delegated-admin user grant more permissions to the "admin" > user than his own permissions? If a policy-item contains both "admin" user > and a non-privileged user, can that policy-item contain more permissions than > delegated-admin users permissions? > > If we limit the requirement to "return true when current user has > 'delegate-admin' for at least one permission", then there will be a policy > where a user have more permissions than permissions for the granting > delegated-admin user.
I think it will help to distinguish policy-read and policy-update: - an user should be allowed to read a policy if the user has delegate-admin on at least one access-type listed in the policy - an user should be allowed to create a policy only if the user has delegate-admin on all access-types listed in the policy - an user should be allowed to delete a policy only if the user has delegate-admin on all access-types listed in the policy being deleted - an user should be allowed to update a policy only if the user has delegate-admin on all access-types listed in both existing policy and updated policy - Madhan ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73627/#review223561 ----------------------------------------------------------- On Oct. 4, 2021, 3:05 p.m., Abhay Kulkarni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73627/ > ----------------------------------------------------------- > > (Updated Oct. 4, 2021, 3:05 p.m.) > > > Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, > Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-3462 > https://issues.apache.org/jira/browse/RANGER-3462 > > > Repository: ranger > > > Description > ------- > > Steps to reproduce the issue: > > Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and > charlie has user role. > Create an HDFS policy with name "test-delegate-admin" as alice. In that > policy there 2 policy items; one for bob, and the other for alice with RWX > permissions with "Delegate Admin". > Log in as bob, and edited the policy item for bob: removed Write permission. > After saving the policy bob is not able to see to policy anymore. It only > becomes visible after the Write permission is restored. > > > Fix involves: > 1. When a policy is updated, the policy-items are segregated based on users > specified in the policy-item. > 2. For admin users, updates to permissions are not checked. > 3. For the user/group/role updating the policy, only admin permission is > checked in all delegated-admin policies. > 4. For other users all requested permissions are checked against other > delegated-admin policies. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java > e2a0884a6 > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java > a6f0a1a2a > > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java > 090384b7b > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 3cd289cc2 > security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java > 7fdda9a1e > > > Diff: https://reviews.apache.org/r/73627/diff/1/ > > > Testing > ------- > > Verified the fix by testing the repro scenario outlined above. > Passed all unit tests. > > > Thanks, > > Abhay Kulkarni > >