Review Request 74068: RANGER-3837 Changed ensureAdminAccess so that both admins and service admins can now get, create, edit, delete roles

Fri, 22 Jul 2022 09:40:25 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74068/
-----------------------------------------------------------

Review request for ranger, bhavik patel, Dhaval Shah, Abhay Kulkarni, Madhan 
Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-3837
    https://issues.apache.org/jira/browse/RANGER-3837


Repository: ranger


Description
-------

For Ozone S3 Multi-Tenancy assign user CLI, we would edit a Ranger role to add 
a new user. During tenant creation, we create two new Ranger roles 
(tenant1-AdminRole and tenant1-UserRole).

As OM prefers using om user (in ozone.keytab) to talk to Ranger, we wouldn't be 
able to create/edit/delete roles with that credential. And there doesn't seem 
to be a config to allow it at this point.

Changes done:: Changed ensureAdminAccess so that both admins and service admins 
can now get,create,edit,delete roles


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java 1e74a5ffd 


Diff: https://reviews.apache.org/r/74068/diff/1/


Testing
-------

Here is the observed expected behavior:

When logged in user is of type ROLE_USER::
Delete is not successful even if execUser is {ROLE_USER, admin or service admin}
Adding user fails

When logged in user is service admin::
Delete succeeds when execUser is service admin
Delete succeeds when execUser is admin
Delete fails when execUser is ROLE_USER
Adding user succeeds

When logged in user is ROLE_SYS_ADMIN::
Delete succeeds even if execUser is {ROLE_USER, admin or service admin}
Adding user succeeds


Thanks,

Fateh Singh

Reply via email to