Re: Review Request 73673: RANGER-3502: Make GET zones API accessible to authorized users only

Mon, 01 Nov 2021 09:29:05 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73673/#review223702
-----------------------------------------------------------


Ship it!




Ship It!

- Abhay Kulkarni


On Oct. 29, 2021, 1:59 p.m., Kishor Gollapalliwar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73673/
> -----------------------------------------------------------
> 
> (Updated Oct. 29, 2021, 1:59 p.m.)
> 
> 
> Review request for ranger, Abhay Kulkarni, Madhan Neethiraj, Mahesh Bandal, 
> Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3502
>     https://issues.apache.org/jira/browse/RANGER-3502
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Currently get zones API returns all zones even for users who are not 
> authorized to zone modules. Restrict this API to only users who are 
> authorized to zone module.
> 
> Steps to reproduce:
> 
> Create a internal user name, test_user1
> Remove the permission on Security Zone module for a user
> Login as test_user1 user to Ranger Admin, user should not be able to see 
> Security Zone tab
> Access the API using curl
> curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H 
> "Content-Type:application/json" 
> "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java 
> fcf843370 
>   
> security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java 
> d6384a694 
> 
> 
> Diff: https://reviews.apache.org/r/73673/diff/1/
> 
> 
> Testing
> -------
> 
> 1. mvn clean compile package install verify
> 2. Verified UI login with admin user
> 3. Verified curl (GET zones API) with admin user
> 4. Verified UI login with non-admin user having access to zone module 
> 5. Verified curl (GET zones API) with non-admin user having access to zone 
> module
> 6. Verified UI login with non-admin user having NO access to zone module 
> 7. Verified curl (GET zones API) with non-admin user having NO access to zone 
> module
> 8. Created /Updated deleted services
> 9. Created /Updated deleted policies
> 10. Created /Updated deleted zones & associated attached them to services
> 
> 
> Thanks,
> 
> Kishor Gollapalliwar
> 
>

Reply via email to