> On 一月 4, 2023, 2:51 a.m., Kirby Zhou wrote:
> > security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java
> > Lines 314 (patched)
> > <https://reviews.apache.org/r/74268/diff/3/?file=2273363#file2273363line314>
> >
> > What happens when GUID exists but is not in the specified Zone? This
> > seems to be a security risk.
>
> Ramachandran Krishnan wrote:
> In the current design,
> We can able to query the policy with guid and service Name zoneId when
> the zoneName is not passed
>
> zoneId ---> RANGER_UNZONED_SECURITY_ZONE_ID(1L)
>
> The below query will be used
>
> select obj from XXPolicy obj, XXService svc where obj.guid = :guid and
> obj.service = svc.id and svc.name = :serviceName and obj.zoneId = :zoneId
>
>
> In our case also we can do the same when we pass only guid
>
> In that case we will add UNZONED_SECURITY_ZONE_ID along with guid
>
> select obj from XXPolicy obj where obj.guid = :guid and obj.zoneId =
> :zoneId
>
> zoneId ---> RANGER_UNZONED_SECURITY_ZONE_ID(1L)
>
> Kirby Zhou/Madhan,
> Please correct me if i am wrong
>
> Kirby Zhou wrote:
> It seem we can not query the policy with guid and zoneName when
> serviceName is not passed?
>
> Ramachandran Krishnan wrote:
> Befor fix:
> Yeah correct, we can not query the policy with guid and zoneName when
> serviceName is not passed
> After fix:
> We can query the policy with guid and zoneId
>
> select obj from XXPolicy obj where obj.guid = :guid and obj.zoneId =
> :zoneId
> zoneId ---> RANGER_UNZONED_SECURITY_ZONE_ID(1L)
>
> Madhan Neethiraj wrote:
> Current API supports retrieving a policy given guid/serviceName and
> zoneName. The ask in the JIRA was to be able to retrieve a policy given its
> guid. Is it necessary to locate a policy with given guid and zoneName?
-- After fix:
-- We can query the policy with guid and zoneId
I do not think so.
```
if (StringUtils.isNotBlank(serviceName)) {
if (StringUtils.isBlank(zoneName)) {
// query with guid, serviceName and
RANGER_UNZONED_SECURITY_ZONE_ID
} else {
// query with guid, serviceName and zoneName
}
} else {
// here, you only query with guid and
RANGER_UNZONED_SECURITY_ZONE_ID.
// missing the case: guid and zoneName
return getEntityManager()
.createNamedQuery("XXPolicy.findPolicyByPolicyGUID", tClass)
.setParameter("guid", guid)
.setParameter("zoneId",
RangerSecurityZone.RANGER_UNZONED_SECURITY_ZONE_ID)
.getSingleResult();
}
```
- Kirby
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74268/#review225039
-----------------------------------------------------------
On 一月 4, 2023, 5:09 a.m., Ramachandran Krishnan wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74268/
> -----------------------------------------------------------
>
> (Updated 一月 4, 2023, 5:09 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Abhay Kulkarni, Madhan Neethiraj,
> Mehul Parikh, Nikhil P, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj,
> Sailaja Polavarapu, Subhrat Chaudhary, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-4031
> https://issues.apache.org/jira/browse/RANGER-4031
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Not able to fetch Policy details using guid /api/policy/guid/{guid} without
> service name
>
> Request without servicename
>
> curl -s -L -X GET
> "https://q************/service/public/v2/api/policy/guid/****-2f42-4451-9edf-****";
> -H "Content-Type: application/json" -H "Accept: application/json" -H
> "Authorization: Basic *********DEyMw=="
> Response : 404
>
> Request with servicename
>
> curl -s -L -X GET
> "https://****************/service/public/v2/api/policy/guid/*****-2f42-4451-9edf-****?serviceName=hive";
> -H "Content-Type: application/json" -H "Accept: application/json" -H
> "Authorization: Basic ***************=="
> Response Proper : 200 with proper details
>
> Code :
> https://github.com/apache/ranger/blob/master/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java#L505
>
> @GET @Path("/api/policy/guid/{guid}")
> @Produces({ "application/json", "application/xml" })
> public RangerPolicy
> getPolicyByGUIDAndServiceNameAndZoneName(@PathParam("guid") String guid,
>
> @DefaultValue("")
> @QueryParam("serviceName") String serviceName,
>
> @DefaultValue("") @QueryParam("ZoneName") String zoneName) {
> return
> serviceREST.getPolicyByGUIDAndServiceNameAndZoneName(guid, serviceName,
> zoneName); }
> As query parameters are optional it should give proper response
>
> Expected : User should be able to get policy details using only guid in path
> params
>
>
> As part of the current design, Ranger expects both serviceName,guid should be
> mandatory and zoneName can be optional
> Proposal:
> Add the logic to fetch the RangerPolicy by guid from the backend
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
> 6b9604817
> security-admin/src/main/java/org/apache/ranger/db/XXPolicyDao.java
> 37d7561d4
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
> c7a6ea0a6
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
> e17494fa9
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml 85c8b6213
> security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java
> 7f1ec6d3e
> security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java
> 2a123de93
> security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
> 7b15810e0
>
>
> Diff: https://reviews.apache.org/r/74268/diff/4/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Ramachandran Krishnan
>
>
