----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74268/#review225039 -----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java Lines 314 (patched) <https://reviews.apache.org/r/74268/#comment313845> What happens when GUID exists but is not in the specified Zone? This seems to be a security risk. - Kirby Zhou On 一月 3, 2023, 6:22 p.m., Ramachandran Krishnan wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74268/ > ----------------------------------------------------------- > > (Updated 一月 3, 2023, 6:22 p.m.) > > > Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj, > Mehul Parikh, Nikhil P, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, > Sailaja Polavarapu, Subhrat Chaudhary, and Velmurugan Periasamy. > > > Bugs: RANGER-4031 > https://issues.apache.org/jira/browse/RANGER-4031 > > > Repository: ranger > > > Description > ------- > > Not able to fetch Policy details using guid /api/policy/guid/{guid} without > service name > > Request without servicename > > curl -s -L -X GET > "https://q************/service/public/v2/api/policy/guid/****-2f42-4451-9edf-****"; > -H "Content-Type: application/json" -H "Accept: application/json" -H > "Authorization: Basic *********DEyMw==" > Response : 404 > > Request with servicename > > curl -s -L -X GET > "https://****************/service/public/v2/api/policy/guid/*****-2f42-4451-9edf-****?serviceName=hive"; > -H "Content-Type: application/json" -H "Accept: application/json" -H > "Authorization: Basic ***************==" > Response Proper : 200 with proper details > > Code : > https://github.com/apache/ranger/blob/master/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java#L505 > > @GET @Path("/api/policy/guid/{guid}") > @Produces({ "application/json", "application/xml" }) > public RangerPolicy > getPolicyByGUIDAndServiceNameAndZoneName(@PathParam("guid") String guid, > > @DefaultValue("") > @QueryParam("serviceName") String serviceName, > > @DefaultValue("") @QueryParam("ZoneName") String zoneName) { > return > serviceREST.getPolicyByGUIDAndServiceNameAndZoneName(guid, serviceName, > zoneName); } > As query parameters are optional it should give proper response > > Expected : User should be able to get policy details using only guid in path > params > > > As part of the current design, Ranger expects both serviceName,guid should be > mandatory and zoneName can be optional > Proposal: > Add the logic to fetch the RangerPolicy by guid from the backend > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 6b9604817 > security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java > 37d7561d4 > security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java > c7a6ea0a6 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > e17494fa9 > security-admin/src/main/resources/META-INF/jpa_named_queries.xml 85c8b6213 > security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java > 7f1ec6d3e > security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java > 2a123de93 > security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java > 7b15810e0 > > > Diff: https://reviews.apache.org/r/74268/diff/3/ > > > Testing > ------- > > > Thanks, > > Ramachandran Krishnan > >
