You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2021/12/03 18:06:05 UTC
Re: Review Request 73736: A delegate admin user should be able to add another user with all or subset of permissions they haveA delegate admin user should be able to add another user with all or subset of permissions they have
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73736/
-----------------------------------------------------------
(Updated Dec. 3, 2021, 6:06 p.m.)
Review request for ranger, Kishor Gollapalliwar, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Updated with the details of the JIRA.
Summary (updated)
-----------------
A delegate admin user should be able to add another user with all or subset of permissions they haveA delegate admin user should be able to add another user with all or subset of permissions they have
Bugs: RANGER-3535
https://issues.apache.org/jira/browse/RANGER-3535
Repository: ranger
Description (updated)
-------
Steps to reproduce:
Login to Ranger Admin as admin user
Create normal users (steve, peter, erwin, bob) in Ranger Admin
Create new policy p1 with resource /p1 & allowed users steve (read, delegate-admin) & peter (read, delegate-admin)
Create new policy p2 with resource /p2 & allowed users steve (read, write, delegate-admin) & peter (read, delegate-admin)
Create new policy p3 with resource /p3 & allowed users steve (write, delegate-admin) & peter (read, delegate-admin)
Create new policy p4 with resource /p4 & allowed users bob (read, write) & peter (read, delegate-admin)
Log out as admin user, and login again as peter
Try to add user erwin (read) in p1, p2, p3 & p4
delegate admin user peter should be able to add user erwin in all policies, but other than p1 rest all fails.
Requirement:
Delegate admin user should be able to add other users with permissions less or equal to his/ her.
Delegate admin user should not be able to add other users with permission more than what he/ she possesses. Basically he/ she can give permissions, all or sub-set of permissions he/ she possesses.
Delegate admin user should not be able to add more permissions to his own.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java c84d0bc9f
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 5311a54a2
Diff: https://reviews.apache.org/r/73736/diff/4/
Changes: https://reviews.apache.org/r/73736/diff/3-4/
Testing
-------
Thanks,
Abhay Kulkarni
Re: Review Request 73736: A delegate admin user should be able to add another user with all or subset of permissions they haveA delegate admin user should be able to add another user with all or subset of permissions they have
Posted by Ramesh Mani <rm...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73736/#review223802
-----------------------------------------------------------
Ship it!
Ship It!
- Ramesh Mani
On Dec. 3, 2021, 6:06 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73736/
> -----------------------------------------------------------
>
> (Updated Dec. 3, 2021, 6:06 p.m.)
>
>
> Review request for ranger, Kishor Gollapalliwar, Madhan Neethiraj, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3535
> https://issues.apache.org/jira/browse/RANGER-3535
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Steps to reproduce:
>
> Login to Ranger Admin as admin user
> Create normal users (steve, peter, erwin, bob) in Ranger Admin
> Create new policy p1 with resource /p1 & allowed users steve (read, delegate-admin) & peter (read, delegate-admin)
> Create new policy p2 with resource /p2 & allowed users steve (read, write, delegate-admin) & peter (read, delegate-admin)
> Create new policy p3 with resource /p3 & allowed users steve (write, delegate-admin) & peter (read, delegate-admin)
> Create new policy p4 with resource /p4 & allowed users bob (read, write) & peter (read, delegate-admin)
> Log out as admin user, and login again as peter
> Try to add user erwin (read) in p1, p2, p3 & p4
> delegate admin user peter should be able to add user erwin in all policies, but other than p1 rest all fails.
> Requirement:
>
> Delegate admin user should be able to add other users with permissions less or equal to his/ her.
> Delegate admin user should not be able to add other users with permission more than what he/ she possesses. Basically he/ she can give permissions, all or sub-set of permissions he/ she possesses.
> Delegate admin user should not be able to add more permissions to his own.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerPolicyResourceSignature.java c84d0bc9f
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 5311a54a2
>
>
> Diff: https://reviews.apache.org/r/73736/diff/4/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Abhay Kulkarni
>
>