You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Mahesh Hanumant Bandal (Jira)" <ji...@apache.org> on 2021/01/21 12:32:00 UTC
[jira] [Commented] (RANGER-3155) Roles are not accessible for Admin
User through REST API
[ https://issues.apache.org/jira/browse/RANGER-3155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17269262#comment-17269262 ]
Mahesh Hanumant Bandal commented on RANGER-3155:
------------------------------------------------
Reverted RANGER-3135 patch as it breaks current functionality to access role for ranger admin and provided a fix with its root cause to represent proper message in case of role does not exist. Earlier it was showing "User doesn't have permissions to get details for role" even if role does not exist.
With this patch we Admin user can access roles and if role does not exist it shows message as "Role with name: ROLETEST does not exist". For non-admin user it behaves as it is. It shows "User doesn't have permissions to get details for ROLETEST".
This fix simply throws an error caught in getRoleIfAccessible() function of RoleREST.java class to parent method. Parent method prints appropriate message caught in exception. And reverted changes made in RANGER-3135.
Testing Done :
For admin user :
1. If role is present - API returns role information.
2. If role does not exist - API will return "Role with name: ROLETEST does not exist.
3. If role exist and ?execUser=non-admin - API will return "User non-admin does not have privilege to role ROLETEST"
For non-admin user :
1. It shows "User doesn't have permissions to get details for ROLETEST".
> Roles are not accessible for Admin User through REST API
> --------------------------------------------------------
>
> Key: RANGER-3155
> URL: https://issues.apache.org/jira/browse/RANGER-3155
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 3.0.0
> Reporter: Mahesh Hanumant Bandal
> Assignee: Mahesh Hanumant Bandal
> Priority: Major
> Fix For: 3.0.0
>
>
> This issue is introduced by RANGER-3135.
> Following is current observation :
> I tried to access GET API [http://localhost:6080/service/roles/roles/name/role1] with admin user and it does not return roles which already exist, whereas select * from x_role returns two roles. ie. role1, role2.
> API returns following response :
> {code:java}
> <vxResponse>
> <msgDesc>Role with name: role1 does not exist</msgDesc>
> <statusCode>1</statusCode>
> </vxResponse>
> {code}
> *With admin user it shows same response regardless of role's existence.*
> =================================================================
> Resolution :
> Admin user should get roles when accessed via REST API. This JIRA should also focus on providing fix for RANGER-3135 where GET API /roles/name/\{name} should provide proper message in case of the role does not exist. In case of non-admin user, it should deny access to roles.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)