You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Pradeep Agrawal (JIRA)" <ji...@apache.org> on 2016/05/23 09:19:12 UTC
[jira] [Commented] (RANGER-443) ncorrect http status code for
missing ranger portal permission
[ https://issues.apache.org/jira/browse/RANGER-443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15296138#comment-15296138 ]
Pradeep Agrawal commented on RANGER-443:
----------------------------------------
Tried below mention things on latest code of master branch:
1. Created user 'testuser1'
2. Provided permission on User-Group Module to user 'testuser1' , row id generated for this entry in x_user_module_perm table was 27.
3. Removed permission of user 'testuser1' from UI, which changed the is_allowed column value from 1 to 0.
4. To remove the permission entry from table call delete REST mention below.
curl -i -u admin:admin --header "Accept:application/json" -H "Content-Type:application/json" -X DELETE http://localhost:8080/security-admin-web/service/xusers/permission/user/27
5. Now tried to access the permission id 27 from user having 'User' role and 'Admin' role.
a) Request from user(testuser1) having 'User' role : curl -i -u testuser1:user1234 --header "Accept:application/json" -H "Content-Type:application/json" -X GET http://localhost:8080/security-admin-web/service/xusers/permission/user/27
Response Code received : 403 Forbidden
b) Request from user(admin) having 'Admin' role : curl -i -u admin:admin --header "Accept:application/json" -H "Content-Type:application/json" -X GET http://localhost:8080/security-admin-web/service/xusers/permission/user/27
Response Code received : 404 Not Found
Conclusion : Permission tab module access is restricted to users having 'Admin' role. @PreAuthorize annotation is executed before processing called REST API. Since permission tab related operation(allowing/removing any user/group from any module) is restricted to only 'Admin' role; normal user shall always get response code 403.
> ncorrect http status code for missing ranger portal permission
> --------------------------------------------------------------
>
> Key: RANGER-443
> URL: https://issues.apache.org/jira/browse/RANGER-443
> Project: Ranger
> Issue Type: Bug
> Components: admin
> Affects Versions: 0.5.0
> Reporter: Dilli Arumugam
> Assignee: Pradeep Agrawal
> Priority: Minor
>
> Created user module permission.
> Deleted the permission.
> Tried to get the permission.
> curl -i -v -u permtestuser1:permtestuser1 -X GET -H "Accept: application/json" http://localhost:6080/service/xusers/permission/user/200
> About to connect() to localhost port 6080 (#0)
> Trying ::1... connected
> Connected to localhost (::1) port 6080 (#0)
> Server auth using Basic with user 'permtestuser1'
> > GET /service/xusers/permission/user/200 HTTP/1.1
> > Authorization: Basic cGVybXRlc3R1c2VyMTpwZXJtdGVzdHVzZXIx
> > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> > Host: localhost:6080
> > Accept: application/json
> >
> < HTTP/1.1 400 Bad Request
> HTTP/1.1 400 Bad Request
> < Server: Apache-Coyote/1.1
> Server: Apache-Coyote/1.1
> < Set-Cookie: JSESSIONID=B33F499239B04ACAD15D6ADD38558AC0; Path=/; HttpOnly
> Set-Cookie: JSESSIONID=B33F499239B04ACAD15D6ADD38558AC0; Path=/; HttpOnly
> < Content-Type: application/json
> Content-Type: application/json
> < Transfer-Encoding: chunked
> Transfer-Encoding: chunked
> < Date: Mon, 27 Apr 2015 19:10:46 GMT
> Date: Mon, 27 Apr 2015 19:10:46 GMT
> < Connection: close
> Connection: close
> <
> Closing connection #0
> Unknown macro: {"statusCode"}
> Please note the status code
> HTTP/1.1 400 Bad Request
> It should return
> HTTP/1.1 404 Not Found
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)