[jira] [Commented] (RANGER-4771) Remove the calls to ensureAdminAccess() in grantAccess() and revokeAccess()

Mon, 08 Apr 2024 18:12:03 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-4771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17835087#comment-17835087
 ] 

Fang-Yu Rao commented on RANGER-4771:
-------------------------------------

I found that even though I used the Apache Ranger on 
{*}release-ranger-2.4.0{*}, I still hit the issue mentioned above. The stack 
trace of the Ranger Admin server is provided in the following. It turns out we 
are still checking the admin access for {*}grantAccess{*}() and 
{*}revokeAccess{*}() on {*}release-ranger-2.4.0{*}.
{code:java}
2024-04-08 23:59:04,966 [http-nio-6080-exec-4] INFO [RESTErrorUtil.java:85] 
Request failed. loginId=null, logMessage=Bad Credentials
javax.ws.rs.WebApplicationException: null
        at 
org.apache.ranger.common.RESTErrorUtil.generateRESTException(RESTErrorUtil.java:78)
        at 
org.apache.ranger.biz.RangerBizUtil.checkAdminAccess(RangerBizUtil.java:1560)
        at 
org.apache.ranger.biz.PolicyRefUpdater.createNewPolMappingForRefTable(PolicyRefUpdater.java:172)
        at 
org.apache.ranger.biz.ServiceDBStore.createPolicy(ServiceDBStore.java:2053)
        at org.apache.ranger.rest.ServiceREST.grantAccess(ServiceREST.java:1307)
{code}

> Remove the calls to ensureAdminAccess() in grantAccess() and revokeAccess()
> ---------------------------------------------------------------------------
>
>                 Key: RANGER-4771
>                 URL: https://issues.apache.org/jira/browse/RANGER-4771
>             Project: Ranger
>          Issue Type: Task
>          Components: admin
>            Reporter: Fang-Yu Rao
>            Priority: Major
>
> We added calls to {*}ensureAdminAccess{*}() in {*}grantAccess{*}() and 
> {*}revokeAccess{*}() in RANGER-4445.
> But according to 
> [https://github.com/apache/ranger/blame/master/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java#L1251]
>  and 
> [https://github.com/apache/ranger/blame/master/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java#L1492],
>  {*}grantAccess{*}() and {*}revokeAccess{*}() are open API's. Thus, it seems 
> we could safely remove the calls to {*}ensureAdminAccess{*}() in these 2 
> places.
> Removing the calls to {*}ensureAdminAccess{*}() also allows the users of 
> other Apache components, e.g., Apache Impala, to test the integration with 
> Apache Ranger, since at the moment Apache Impala stills relies on 
> {*}grantAccess{*}() and {*}revokeAccess{*}() to perform authorization-related 
> tests.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to