You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Pradeep Agrawal <pr...@freestoneinfotech.com> on 2016/07/19 06:07:55 UTC
Review Request 50118: RANGER-1090 : Revoke command with grant option
does not disable delegated admin permission for users/groups in the
corresponding policy
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/50118/
-----------------------------------------------------------
Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
Bugs: RANGER-1090
https://issues.apache.org/jira/browse/RANGER-1090
Repository: ranger
Description
-------
**Note:** This review request is part of RR-49795(RANGER-1090)
**Problem Statement :**
Revoke command with 'revoke grant option' does not disable delegated admin permission for users/groups in the corresponding policy.
Currently Revoke request deletes the applicable policy item and creates two additional policy item of 'ALLOW', 'DENY_EXCEPTIONS' type in x_policy_item table. Reference entries are also getting created in x_policy_item_access and x_policy_item_user_perm/x_policy_item_group_perm tables. This should not happen in case of revoke request.
**Proposed Solution :**
Removed the implementation which was creating additional policy items and featured the revoke request call only for 'Allow' policy type; From processRevokeRequest() called the required/available method to remove policy item access list and update the existing policy.
Diffs
-----
security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java d794565
Diff: https://reviews.apache.org/r/50118/diff/
Testing
-------
**Case-1 :** Upgrade Case : Validated Revoke request(with patch) for resource where policy was created using grant command in previous version of Ranger(0.6). revoke command was not executed through previous version of Ranger(0.6) for same resource.
**Case-2 :** Upgrade Case : Validated Revoke request(with patch) for resource where policy was created using grant command in previous version of Ranger(0.6). revoke command was also executed through previous version of Ranger(0.6) for same resource.
**Case-3 :** Fresh installation case : Validated Grant/Revoke request(with patch) for resource where policy for the resource does not exist.
Thanks,
Pradeep Agrawal
Re: Review Request 50118: RANGER-1090 : Revoke command with grant
option
does not disable delegated admin permission for users/groups in the
corresponding policy
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/50118/#review142715
-----------------------------------------------------------
Ship it!
Ship It!
- Abhay Kulkarni
On July 19, 2016, 6:07 a.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/50118/
> -----------------------------------------------------------
>
> (Updated July 19, 2016, 6:07 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-1090
> https://issues.apache.org/jira/browse/RANGER-1090
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Note:** This review request is part of RR-49795(RANGER-1090)
>
> **Problem Statement :**
> Revoke command with 'revoke grant option' does not disable delegated admin permission for users/groups in the corresponding policy.
>
> Currently Revoke request deletes the applicable policy item and creates two additional policy item of 'ALLOW', 'DENY_EXCEPTIONS' type in x_policy_item table. Reference entries are also getting created in x_policy_item_access and x_policy_item_user_perm/x_policy_item_group_perm tables. This should not happen in case of revoke request.
>
> **Proposed Solution :**
> Removed the implementation which was creating additional policy items and featured the revoke request call only for 'Allow' policy type; From processRevokeRequest() called the required/available method to remove policy item access list and update the existing policy.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java d794565
>
> Diff: https://reviews.apache.org/r/50118/diff/
>
>
> Testing
> -------
>
> **Case-1 :** Upgrade Case : Validated Revoke request(with patch) for resource where policy was created using grant command in previous version of Ranger(0.6). revoke command was not executed through previous version of Ranger(0.6) for same resource.
> **Case-2 :** Upgrade Case : Validated Revoke request(with patch) for resource where policy was created using grant command in previous version of Ranger(0.6). revoke command was also executed through previous version of Ranger(0.6) for same resource.
> **Case-3 :** Fresh installation case : Validated Grant/Revoke request(with patch) for resource where policy for the resource does not exist.
>
>
> Thanks,
>
> Pradeep Agrawal
>
>
Re: Review Request 50118: RANGER-1090 : Revoke command with grant
option
does not disable delegated admin permission for users/groups in the
corresponding policy
Posted by Gautam Borad <gb...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/50118/#review142733
-----------------------------------------------------------
Ship it!
Ship It!
- Gautam Borad
On July 19, 2016, 6:07 a.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/50118/
> -----------------------------------------------------------
>
> (Updated July 19, 2016, 6:07 a.m.)
>
>
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-1090
> https://issues.apache.org/jira/browse/RANGER-1090
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Note:** This review request is part of RR-49795(RANGER-1090)
>
> **Problem Statement :**
> Revoke command with 'revoke grant option' does not disable delegated admin permission for users/groups in the corresponding policy.
>
> Currently Revoke request deletes the applicable policy item and creates two additional policy item of 'ALLOW', 'DENY_EXCEPTIONS' type in x_policy_item table. Reference entries are also getting created in x_policy_item_access and x_policy_item_user_perm/x_policy_item_group_perm tables. This should not happen in case of revoke request.
>
> **Proposed Solution :**
> Removed the implementation which was creating additional policy items and featured the revoke request call only for 'Allow' policy type; From processRevokeRequest() called the required/available method to remove policy item access list and update the existing policy.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/rest/ServiceRESTUtil.java d794565
>
> Diff: https://reviews.apache.org/r/50118/diff/
>
>
> Testing
> -------
>
> **Case-1 :** Upgrade Case : Validated Revoke request(with patch) for resource where policy was created using grant command in previous version of Ranger(0.6). revoke command was not executed through previous version of Ranger(0.6) for same resource.
> **Case-2 :** Upgrade Case : Validated Revoke request(with patch) for resource where policy was created using grant command in previous version of Ranger(0.6). revoke command was also executed through previous version of Ranger(0.6) for same resource.
> **Case-3 :** Fresh installation case : Validated Grant/Revoke request(with patch) for resource where policy for the resource does not exist.
>
>
> Thanks,
>
> Pradeep Agrawal
>
>