----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/37943/#review97618 -----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java (line 164) <https://reviews.apache.org/r/37943/#comment153634> Would replacing hasRole("ROLE_SYS_ADMIN") with isAPIAccsible(SERVICE_ASSOCIATED_TABS) result in more users (i.e. non-admins) be able to call this method? If yes, the needs to be reviewed and fixed. Please review all other such occurances. security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java (line 81) <https://reviews.apache.org/r/37943/#comment153638> It will be efficient to have findAccessibleModulesByUserId() return the modules accesible by the user AND the modules accessible by the groups the user belongs to. This will avoid sending multiple queries to DB and reduce the overhead for *every* REST API call. The query return should be a list of distinct module names (or a set, if feasible) - to avoid duplicate entries. Also consider using IDs instead of string names to send to DB. IDs can be initialized from DB during startup of Ranger Admin. - Madhan Neethiraj On Sept. 3, 2015, 12:42 a.m., Gautam Borad wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/37943/ > ----------------------------------------------------------- > > (Updated Sept. 3, 2015, 12:42 a.m.) > > > Review request for ranger, Alok Lal, Don Bosco Durai, Madhan Neethiraj, > Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy. > > > Bugs: RANGER-630 > https://issues.apache.org/jira/browse/RANGER-630 > > > Repository: ranger > > > Description > ------- > > Make data access consistent across REST API and UI. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java > 611eaf8 > security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java e5de160 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 3d2e8b0 > security-admin/src/main/java/org/apache/ranger/rest/UserREST.java a9d0059 > security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java 1c0f9fc > security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 93980b4 > > security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java > PRE-CREATION > security-admin/src/main/resources/META-INF/jpa_named_queries.xml 7761756 > security-admin/src/main/resources/conf.dist/security-applicationContext.xml > a648809 > > Diff: https://reviews.apache.org/r/37943/diff/ > > > Testing > ------- > > 1) Tested on Ranger UI working of permission model. > 2) Test REST calls to reflect access conrol based on Permission model. > 3) Checked cases like revoking access to 'user1' (having user role) from > Audit tab (using permission model) and making curl call to Audit tab's REST > APIs. > > > Thanks, > > Gautam Borad > >
