You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ranger.apache.org by pr...@apache.org on 2022/08/23 04:45:05 UTC

[ranger] branch master updated: RANGER-3837: Changed ensureAdminAccess and getRoleIfAccessible so that both admins and service admins can now get,create,edit,delete roles

This is an automated email from the ASF dual-hosted git repository.

pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new eaeaeb4ed RANGER-3837: Changed ensureAdminAccess and getRoleIfAccessible so that both admins and service admins can now get,create,edit,delete roles
eaeaeb4ed is described below

commit eaeaeb4ed3fbb0db1abe291e67769484aba20f9e
Author: Fateh Singh <fa...@gmail.com>
AuthorDate: Fri Jul 22 09:26:12 2022 -0700

    RANGER-3837: Changed ensureAdminAccess and getRoleIfAccessible so that both admins and service admins can now get,create,edit,delete roles
    
    Signed-off-by: pradeep <pr...@apache.org>
---
 security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
index 1e74a5ffd..a2ab49a88 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
@@ -909,7 +909,7 @@ public class RoleREST {
             effectiveUser = loggedInUser;
         }
 
-        if (!bizUtil.isUserRangerAdmin(effectiveUser)) {
+        if (!bizUtil.isUserRangerAdmin(effectiveUser) && !svcStore.isServiceAdminUser(serviceName, effectiveUser)) {
             throw new Exception("User " + effectiveUser + " does not have permission for this operation");
         }
     }
@@ -937,7 +937,7 @@ public class RoleREST {
             effectiveUser = loggedInUser;
         }
         try {
-            if (!bizUtil.isUserRangerAdmin(effectiveUser)) {
+            if (!bizUtil.isUserRangerAdmin(effectiveUser) && !svcStore.isServiceAdminUser(serviceName, effectiveUser)) {
                 existingRole = roleStore.getRole(roleName);
                 ensureRoleAccess(effectiveUser, userGroups, existingRole);