----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/49795/#review142282 -----------------------------------------------------------
Ship it! Ship It! - Madhan Neethiraj On July 14, 2016, 2:29 p.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/49795/ > ----------------------------------------------------------- > > (Updated July 14, 2016, 2:29 p.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, > and Velmurugan Periasamy. > > > Bugs: RANGER-1090 > https://issues.apache.org/jira/browse/RANGER-1090 > > > Repository: ranger > > > Description > ------- > > **Problem Statement :** > Revoke command with 'revoke grant option' does not disable delegated admin > permission for users/groups in the corresponding policy. > > Currently Revoke request deletes the applicable policy item and creates three > additional policy item of 'ALLOW', 'DENY' and 'ALLOW_EXCEPTIONS' type in > x_policy_item table. Reference entries are also getting created in > x_policy_item_access and x_policy_item_user_perm/x_policy_item_group_perm > tables. This should not happen in case of revoke request. > > **Proposed Solution :** > Removed the implementation which was creating additional policy items and > featured the revoke request call only for 'Allow' policy type; From > processRevokeRequest() called the required/available method to remove policy > item access list and update the existing policy. > > Proposed patch contains few other changes also: > 1. If Grant/Revoke request does not contain any user/group then request will > fail. > 2. If Grant/Revoke request contains invalid user/group then request will fail. > 3. If Revoke request is valid and if it seems that after processing the > request policy item access list shall be empty then delegatedadmin flag shall > be set to false. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 242a27e > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 6cb1968 > security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java > dcae9b4 > > Diff: https://reviews.apache.org/r/49795/diff/ > > > Testing > ------- > > **Steps Performed(with patch) :** > > 1. Installed Ranger, Hive and HBase Component. > 2. Enabled Ranger for Hive and HBase component. > > Note : hive/hbase users were having delegated admin privilege on respective > default policies. > > 3. ** Grant/Revoke Case on Hive:** > Logged into hive cli using command : > => beeline -u jdbc:hive2://localhost:10000 -n hive -p hive > > 3.1 **Grant Request from Hive:** > Executed below given grant command to grant permissions to user 'usera' with > grant option. > => GRANT ALTER, UPDATE, CREATE, DROP, INDEX, LOCK, SELECT ON TABLE > default.test1 TO USER usera WITH GRANT OPTION; > > **Expected behavior :** Policy should get created with database : default, > table : test1 where 'usera' should be having {ALTER, UPDATE, CREATE, DROP, > INDEX, LOCK, SELECT} access permissions with delegated admin privilege. > **Actual behavior :** Hive policy 'grant-1467992197557' was created for > resource{database : default, table : test1} where 'usera' was having access > permissions {ALTER, UPDATE, CREATE, DROP, INDEX, LOCK, SELECT} with delegated > admin privileges. > > 3.2 **Revoke Request from Hive:** > Executed below given revoke command to revoke permissions and delegated admin > privileges from user 'usera'. > => REVOKE grant option for ALTER, UPDATE, CREATE, DROP, INDEX, LOCK, SELECT > ON TABLE default.test1 FROM USER usera; > > **Expected behavior :** Hive Policy 'grant-1467992197557' should be updated > where 'usera' should not appear in policy item and access list should be > unchecked and delegated admin checkbox should also be unchecked > > **Actual behavior :** > Hive Policy 'grant-1467992197557' was updated where 'usera' was not appearing > in policy item and access permissions checkbox were unchecked and delegated > admin checkbox was unchecked. > > 4. ** Grant/Revoke Case on HBase:** > Logged into Hbase cli using command : Logged in from hbase user in terminal > and executed command > => Hbase shell > > 4.1 **Grant Request from HBase:** > Executed below given grant command to grant permissions to user 'userc' with > grant option. > => grant 'userc','RWCA','test1' > > **Expected behavior :** Policy should get created with table : test1 where > 'userc' should be having {READ, WRITE,CREATE,ADMIN} permissions with > delegated admin privilege. > **Actual behavior :** HBase policy 'grant-147976565541' was created for > resource{table : test1,columnfamily : *, column : *} where 'userc' was having > access permissions {READ, WRITE,CREATE,ADMIN} with delegated admin privileges. > > 4.2 **Revoke Request from HBase:** > Executed below given revoke command to revoke permissions and delegated admin > privileges from user 'userc'. > => revoke 'userc' ,'test1' > > **Expected behavior :** HBase Policy 'grant-147976565541' should be updated > where 'userc' should not appear in policy item and access list should be > unchecked and delegated admin checkbox should also be unchecked > > **Actual behavior :** > HBase Policy 'grant-147976565541' was updated where 'userc' was not appearing > in policy item and access permissions checkbox were unchecked and delegated > admin checkbox was unchecked. > > > Thanks, > > Pradeep Agrawal > >
