Re: Review Request 74068: RANGER-3837 Changed ensureAdminAccess and getRoleIfAccessible so that both admins and service admins can now get, create, edit, delete roles

Mon, 22 Aug 2022 13:18:51 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74068/#review224635
-----------------------------------------------------------


Ship it!




Ship It!

- Abhay Kulkarni


On Aug. 3, 2022, 7:02 p.m., Fateh Singh wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74068/
> -----------------------------------------------------------
> 
> (Updated Aug. 3, 2022, 7:02 p.m.)
> 
> 
> Review request for ranger, bhavik patel, Dhaval Shah, Abhay Kulkarni, Madhan 
> Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3837
>     https://issues.apache.org/jira/browse/RANGER-3837
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> For Ozone S3 Multi-Tenancy assign user CLI, we would edit a Ranger role to 
> add a new user. During tenant creation, we create two new Ranger roles 
> (tenant1-AdminRole and tenant1-UserRole).
> 
> As OM prefers using om user (in ozone.keytab) to talk to Ranger, we wouldn't 
> be able to create/edit/delete roles with that credential. And there doesn't 
> seem to be a config to allow it at this point.
> 
> Changes done:: Changed ensureAdminAccess so that both admins and service 
> admins can now get,create,edit,delete roles
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java 1e74a5ffd 
> 
> 
> Diff: https://reviews.apache.org/r/74068/diff/2/
> 
> 
> Testing
> -------
> 
> Here is the observed expected behavior:
> 
> When logged in user is of type ROLE_USER::
> Delete is not successful even if execUser is {ROLE_USER, admin or service 
> admin}
> Adding user fails
> 
> When logged in user is service admin::
> Delete succeeds when execUser is service admin
> Delete succeeds when execUser is admin
> Delete fails when execUser is ROLE_USER
> Adding user succeeds
> 
> When logged in user is ROLE_SYS_ADMIN::
> Delete succeeds even if execUser is {ROLE_USER, admin or service admin}
> Adding user succeeds
> 
> 
> Thanks,
> 
> Fateh Singh
> 
>

Reply via email to