You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Kishor Gollapalliwar <ki...@gmail.com> on 2021/12/01 12:08:14 UTC

Re: Review Request 73673: RANGER-3502: Make GET zone APIs accessible to authorized users only

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73673/
-----------------------------------------------------------

(Updated Dec. 1, 2021, 12:08 p.m.)


Review request for ranger, Dhaval Rajpara, Abhay Kulkarni, Madhan Neethiraj, Mahesh Bandal, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and Velmurugan Periasamy.


Bugs: RANGER-3502
    https://issues.apache.org/jira/browse/RANGER-3502


Repository: ranger


Description
-------

Currently get zones API returns all zones even for users who are not authorized to zone modules. Restrict this API to only users who are authorized to zone module.

Steps to reproduce:

Create a internal user name, test_user1
Remove the permission on Security Zone module for a user
Login as test_user1 user to Ranger Admin, user should not be able to see Security Zone tab
Access the API using following curls
1. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
2. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}"
3. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}"


Diffs (updated)
-----

  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java 12ad7e676 
  security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java 46ff16f37 
  security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java f5c1a882f 
  security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java c30dba1ce 
  security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 6ab3d52a0 
  security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java fcf843370 
  security-admin/src/main/resources/META-INF/jpa_named_queries.xml a19f7f1d8 
  security-admin/src/main/webapp/scripts/controllers/Controller.js 74f2af513 
  security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js f7d3b7316 
  security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 11d471137 
  security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayoutSidebar.js 67a577c20 
  security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 2acf35f3d 
  security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js e6ec81f27 
  security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java f9ea26a31 
  security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java d6384a694 


Diff: https://reviews.apache.org/r/73673/diff/5/

Changes: https://reviews.apache.org/r/73673/diff/4-5/


Testing
-------

1. mvn clean compile package install verify
2. Verified UI login with admin user
3. Verified curl (GET zones API) with admin user
4. Verified UI login with non-admin user having access to zone module 
5. Verified curl (GET zones API) with non-admin user having access to zone module
6. Verified UI login with non-admin user having NO access to zone module 
7. Verified curl (GET zones API) with non-admin user having NO access to zone module
8. Created /Updated deleted services
9. Created /Updated deleted policies
10. Created /Updated deleted zones & associated attached them to services
11. Verified behaviour on dashboard, report, access audit import & export functionalities


Thanks,

Kishor Gollapalliwar

Re: Review Request 73673: RANGER-3502: Make GET zone APIs accessible to authorized users only

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73673/#review223785
-----------------------------------------------------------




security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
Lines 740 (patched)
<https://reviews.apache.org/r/73673/#comment312862>

    '@Path("/api/zones/headers")' conflicts with the patch in #129:	'@Path("/api/zones/{id}")'.
    
    Consider using "/api/zone-headers" as path.
    
    Also, it will help to have all "zone" methods together i.e. move lines #733 - #789 right after #139.


- Madhan Neethiraj


On Dec. 1, 2021, 12:08 p.m., Kishor Gollapalliwar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73673/
> -----------------------------------------------------------
> 
> (Updated Dec. 1, 2021, 12:08 p.m.)
> 
> 
> Review request for ranger, Dhaval Rajpara, Abhay Kulkarni, Madhan Neethiraj, Mahesh Bandal, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3502
>     https://issues.apache.org/jira/browse/RANGER-3502
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Currently get zones API returns all zones even for users who are not authorized to zone modules. Restrict this API to only users who are authorized to zone module.
> 
> Steps to reproduce:
> 
> Create a internal user name, test_user1
> Remove the permission on Security Zone module for a user
> Login as test_user1 user to Ranger Admin, user should not be able to see Security Zone tab
> Access the API using following curls
> 1. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
> 2. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}"
> 3. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}"
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java 12ad7e676 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java 46ff16f37 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java f5c1a882f 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java c30dba1ce 
>   security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 6ab3d52a0 
>   security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java fcf843370 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml a19f7f1d8 
>   security-admin/src/main/webapp/scripts/controllers/Controller.js 74f2af513 
>   security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js f7d3b7316 
>   security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 11d471137 
>   security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayoutSidebar.js 67a577c20 
>   security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 2acf35f3d 
>   security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js e6ec81f27 
>   security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java f9ea26a31 
>   security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java d6384a694 
> 
> 
> Diff: https://reviews.apache.org/r/73673/diff/5/
> 
> 
> Testing
> -------
> 
> 1. mvn clean compile package install verify
> 2. Verified UI login with admin user
> 3. Verified curl (GET zones API) with admin user
> 4. Verified UI login with non-admin user having access to zone module 
> 5. Verified curl (GET zones API) with non-admin user having access to zone module
> 6. Verified UI login with non-admin user having NO access to zone module 
> 7. Verified curl (GET zones API) with non-admin user having NO access to zone module
> 8. Created /Updated deleted services
> 9. Created /Updated deleted policies
> 10. Created /Updated deleted zones & associated attached them to services
> 11. Verified behaviour on dashboard, report, access audit import & export functionalities
> 
> 
> Thanks,
> 
> Kishor Gollapalliwar
> 
>

Re: Review Request 73673: RANGER-3502: Make GET zone APIs accessible to authorized users only

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73673/#review223810
-----------------------------------------------------------


Ship it!




Ship It!

- Madhan Neethiraj


On Dec. 6, 2021, 12:22 p.m., Kishor Gollapalliwar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73673/
> -----------------------------------------------------------
> 
> (Updated Dec. 6, 2021, 12:22 p.m.)
> 
> 
> Review request for ranger, Dhaval Rajpara, Abhay Kulkarni, Madhan Neethiraj, Mahesh Bandal, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3502
>     https://issues.apache.org/jira/browse/RANGER-3502
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Currently get zones API returns all zones even for users who are not authorized to zone modules. Restrict this API to only users who are authorized to zone module.
> 
> Steps to reproduce:
> 
> Create a internal user name, test_user1
> Remove the permission on Security Zone module for a user
> Login as test_user1 user to Ranger Admin, user should not be able to see Security Zone tab
> Access the API using following curls
> 1. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
> 2. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}"
> 3. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}"
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java PRE-CREATION 
>   agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java PRE-CREATION 
>   security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java 12ad7e676 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java 46ff16f37 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java f5c1a882f 
>   security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java c30dba1ce 
>   security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 204cadbf0 
>   security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java fcf843370 
>   security-admin/src/main/resources/META-INF/jpa_named_queries.xml 539d600c8 
>   security-admin/src/main/webapp/scripts/controllers/Controller.js 74f2af513 
>   security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js f7d3b7316 
>   security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 11d471137 
>   security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayoutSidebar.js 67a577c20 
>   security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 2acf35f3d 
>   security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js e6ec81f27 
>   security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java f9ea26a31 
>   security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java d6384a694 
> 
> 
> Diff: https://reviews.apache.org/r/73673/diff/6/
> 
> 
> Testing
> -------
> 
> 1. mvn clean compile package install verify
> 2. Verified UI login with admin user
> 3. Verified curl (GET zones API) with admin user
> 4. Verified UI login with non-admin user having access to zone module 
> 5. Verified curl (GET zones API) with non-admin user having access to zone module
> 6. Verified UI login with non-admin user having NO access to zone module 
> 7. Verified curl (GET zones API) with non-admin user having NO access to zone module
> 8. Created /Updated deleted services
> 9. Created /Updated deleted policies
> 10. Created /Updated deleted zones & associated attached them to services
> 11. Verified behaviour on dashboard, report, access audit import & export functionalities
> 
> 
> Thanks,
> 
> Kishor Gollapalliwar
> 
>

Re: Review Request 73673: RANGER-3502: Make GET zone APIs accessible to authorized users only

Posted by Kishor Gollapalliwar <ki...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73673/
-----------------------------------------------------------

(Updated Dec. 6, 2021, 12:22 p.m.)


Review request for ranger, Dhaval Rajpara, Abhay Kulkarni, Madhan Neethiraj, Mahesh Bandal, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and Velmurugan Periasamy.


Bugs: RANGER-3502
    https://issues.apache.org/jira/browse/RANGER-3502


Repository: ranger


Description
-------

Currently get zones API returns all zones even for users who are not authorized to zone modules. Restrict this API to only users who are authorized to zone module.

Steps to reproduce:

Create a internal user name, test_user1
Remove the permission on Security Zone module for a user
Login as test_user1 user to Ranger Admin, user should not be able to see Security Zone tab
Access the API using following curls
1. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
2. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}"
3. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}"


Diffs (updated)
-----

  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java PRE-CREATION 
  agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java PRE-CREATION 
  security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java 12ad7e676 
  security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java 46ff16f37 
  security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java f5c1a882f 
  security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java c30dba1ce 
  security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 204cadbf0 
  security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java fcf843370 
  security-admin/src/main/resources/META-INF/jpa_named_queries.xml 539d600c8 
  security-admin/src/main/webapp/scripts/controllers/Controller.js 74f2af513 
  security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js f7d3b7316 
  security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 11d471137 
  security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayoutSidebar.js 67a577c20 
  security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 2acf35f3d 
  security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js e6ec81f27 
  security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java f9ea26a31 
  security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java d6384a694 


Diff: https://reviews.apache.org/r/73673/diff/6/

Changes: https://reviews.apache.org/r/73673/diff/5-6/


Testing
-------

1. mvn clean compile package install verify
2. Verified UI login with admin user
3. Verified curl (GET zones API) with admin user
4. Verified UI login with non-admin user having access to zone module 
5. Verified curl (GET zones API) with non-admin user having access to zone module
6. Verified UI login with non-admin user having NO access to zone module 
7. Verified curl (GET zones API) with non-admin user having NO access to zone module
8. Created /Updated deleted services
9. Created /Updated deleted policies
10. Created /Updated deleted zones & associated attached them to services
11. Verified behaviour on dashboard, report, access audit import & export functionalities


Thanks,

Kishor Gollapalliwar