-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49795/
-----------------------------------------------------------
Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay
Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj,
and Velmurugan Periasamy.
Bugs: RANGER-1090
https://issues.apache.org/jira/browse/RANGER-1090
Repository: ranger
Description
-------
**Problem Statement :**
Revoke command with 'revoke grant option' does not disable delegated admin
permission for users/groups in the corresponding policy.
Currently Revoke request deletes the applicable policy item and creates three
additional policy item of 'ALLOW', 'DENY' and 'ALLOW_EXCEPTIONS' type in
x_policy_item table. Reference entries are also getting created in
x_policy_item_access and x_policy_item_user_perm/x_policy_item_group_perm
tables. This should not happen in case of revoke request.
**Proposed Solution :**
Removed the implementation which was creating additional policy items and
featured the revoke request call only for 'Allow' policy type; From
processRevokeRequest() called the required/available method to remove policy
item access list and update the existing policy.
Proposed patch contains few other changes also:
1. If Grant/Revoke request does not contain any user/group then request will
fail.
2. If Grant/Revoke request contains invalid user/group then request will fail.
3. If Revoke request is valid and if it seems that after processing the request
policy item access list shall be empty then delegatedadmin flag shall be set to
false.
Diffs
-----
security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 43de760
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 6146984
security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java
dcae9b4
Diff: https://reviews.apache.org/r/49795/diff/
Testing
-------
**Steps Performed(with patch) :**
1. Installed Ranger, Hive and HBase Component.
2. Enabled Ranger for Hive and HBase component.
Note : hive/hbase users were having delegated admin privilege on respective
default policies.
3. ** Grant/Revoke Case on Hive:**
Logged into hive cli using command :
=> beeline -u jdbc:hive2://localhost:10000 -n hive -p hive
3.1 **Grant Request from Hive:**
Executed below given grant command to grant permissions to user 'usera' with
grant option.
=> GRANT ALTER, UPDATE, CREATE, DROP, INDEX, LOCK, SELECT ON TABLE
default.test1 TO USER usera WITH GRANT OPTION;
**Expected behavior :** Policy should get created with database : default,
table : test1 where 'usera' should be having {ALTER, UPDATE, CREATE, DROP,
INDEX, LOCK, SELECT} access permissions with delegated admin privilege.
**Actual behavior :** Hive policy 'grant-1467992197557' was created for
resource{database : default, table : test1} where 'usera' was having access
permissions {ALTER, UPDATE, CREATE, DROP, INDEX, LOCK, SELECT} with delegated
admin privileges.
3.2 **Revoke Request from Hive:**
Executed below given revoke command to revoke permissions and delegated admin
privileges from user 'usera'.
=> REVOKE grant option for ALTER, UPDATE, CREATE, DROP, INDEX, LOCK, SELECT ON
TABLE default.test1 FROM USER usera;
**Expected behavior :** Hive Policy 'grant-1467992197557' should be updated
where 'usera' should not appear in policy item and access list should be
unchecked and delegated admin checkbox should also be unchecked
**Actual behavior :**
Hive Policy 'grant-1467992197557' was updated where 'usera' was not appearing
in policy item and access permissions checkbox were unchecked and delegated
admin checkbox was unchecked.
4. ** Grant/Revoke Case on HBase:**
Logged into Hbase cli using command : Logged in from hbase user in terminal and
executed command
=> Hbase shell
4.1 **Grant Request from HBase:**
Executed below given grant command to grant permissions to user 'userc' with
grant option.
=> grant 'userc','RWCA','test1'
**Expected behavior :** Policy should get created with table : test1 where
'userc' should be having {READ, WRITE,CREATE,ADMIN} permissions with delegated
admin privilege.
**Actual behavior :** HBase policy 'grant-147976565541' was created for
resource{table : test1,columnfamily : *, column : *} where 'userc' was having
access permissions {READ, WRITE,CREATE,ADMIN} with delegated admin privileges.
4.2 **Revoke Request from HBase:**
Executed below given revoke command to revoke permissions and delegated admin
privileges from user 'userc'.
=> revoke 'userc' ,'test1'
**Expected behavior :** HBase Policy 'grant-147976565541' should be updated
where 'userc' should not appear in policy item and access list should be
unchecked and delegated admin checkbox should also be unchecked
**Actual behavior :**
HBase Policy 'grant-147976565541' was updated where 'userc' was not appearing
in policy item and access permissions checkbox were unchecked and delegated
admin checkbox was unchecked.
Thanks,
Pradeep Agrawal
