You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Kishor Gollapalliwar <ki...@gmail.com> on 2021/12/01 12:08:14 UTC
Re: Review Request 73673: RANGER-3502: Make GET zone APIs accessible to authorized users only
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73673/
-----------------------------------------------------------
(Updated Dec. 1, 2021, 12:08 p.m.)
Review request for ranger, Dhaval Rajpara, Abhay Kulkarni, Madhan Neethiraj, Mahesh Bandal, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and Velmurugan Periasamy.
Bugs: RANGER-3502
https://issues.apache.org/jira/browse/RANGER-3502
Repository: ranger
Description
-------
Currently get zones API returns all zones even for users who are not authorized to zone modules. Restrict this API to only users who are authorized to zone module.
Steps to reproduce:
Create a internal user name, test_user1
Remove the permission on Security Zone module for a user
Login as test_user1 user to Ranger Admin, user should not be able to see Security Zone tab
Access the API using following curls
1. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
2. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}"
3. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}"
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java 12ad7e676
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java 46ff16f37
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java f5c1a882f
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java c30dba1ce
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 6ab3d52a0
security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java fcf843370
security-admin/src/main/resources/META-INF/jpa_named_queries.xml a19f7f1d8
security-admin/src/main/webapp/scripts/controllers/Controller.js 74f2af513
security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js f7d3b7316
security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 11d471137
security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayoutSidebar.js 67a577c20
security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 2acf35f3d
security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js e6ec81f27
security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java f9ea26a31
security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java d6384a694
Diff: https://reviews.apache.org/r/73673/diff/5/
Changes: https://reviews.apache.org/r/73673/diff/4-5/
Testing
-------
1. mvn clean compile package install verify
2. Verified UI login with admin user
3. Verified curl (GET zones API) with admin user
4. Verified UI login with non-admin user having access to zone module
5. Verified curl (GET zones API) with non-admin user having access to zone module
6. Verified UI login with non-admin user having NO access to zone module
7. Verified curl (GET zones API) with non-admin user having NO access to zone module
8. Created /Updated deleted services
9. Created /Updated deleted policies
10. Created /Updated deleted zones & associated attached them to services
11. Verified behaviour on dashboard, report, access audit import & export functionalities
Thanks,
Kishor Gollapalliwar
Re: Review Request 73673: RANGER-3502: Make GET zone APIs accessible to authorized users only
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73673/#review223785
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
Lines 740 (patched)
<https://reviews.apache.org/r/73673/#comment312862>
'@Path("/api/zones/headers")' conflicts with the patch in #129: '@Path("/api/zones/{id}")'.
Consider using "/api/zone-headers" as path.
Also, it will help to have all "zone" methods together i.e. move lines #733 - #789 right after #139.
- Madhan Neethiraj
On Dec. 1, 2021, 12:08 p.m., Kishor Gollapalliwar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73673/
> -----------------------------------------------------------
>
> (Updated Dec. 1, 2021, 12:08 p.m.)
>
>
> Review request for ranger, Dhaval Rajpara, Abhay Kulkarni, Madhan Neethiraj, Mahesh Bandal, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3502
> https://issues.apache.org/jira/browse/RANGER-3502
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Currently get zones API returns all zones even for users who are not authorized to zone modules. Restrict this API to only users who are authorized to zone module.
>
> Steps to reproduce:
>
> Create a internal user name, test_user1
> Remove the permission on Security Zone module for a user
> Login as test_user1 user to Ranger Admin, user should not be able to see Security Zone tab
> Access the API using following curls
> 1. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
> 2. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}"
> 3. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}"
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java 12ad7e676
> security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java 46ff16f37
> security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java f5c1a882f
> security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java c30dba1ce
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 6ab3d52a0
> security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java fcf843370
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml a19f7f1d8
> security-admin/src/main/webapp/scripts/controllers/Controller.js 74f2af513
> security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js f7d3b7316
> security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 11d471137
> security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayoutSidebar.js 67a577c20
> security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 2acf35f3d
> security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js e6ec81f27
> security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java f9ea26a31
> security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java d6384a694
>
>
> Diff: https://reviews.apache.org/r/73673/diff/5/
>
>
> Testing
> -------
>
> 1. mvn clean compile package install verify
> 2. Verified UI login with admin user
> 3. Verified curl (GET zones API) with admin user
> 4. Verified UI login with non-admin user having access to zone module
> 5. Verified curl (GET zones API) with non-admin user having access to zone module
> 6. Verified UI login with non-admin user having NO access to zone module
> 7. Verified curl (GET zones API) with non-admin user having NO access to zone module
> 8. Created /Updated deleted services
> 9. Created /Updated deleted policies
> 10. Created /Updated deleted zones & associated attached them to services
> 11. Verified behaviour on dashboard, report, access audit import & export functionalities
>
>
> Thanks,
>
> Kishor Gollapalliwar
>
>
Re: Review Request 73673: RANGER-3502: Make GET zone APIs accessible to authorized users only
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73673/#review223810
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On Dec. 6, 2021, 12:22 p.m., Kishor Gollapalliwar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73673/
> -----------------------------------------------------------
>
> (Updated Dec. 6, 2021, 12:22 p.m.)
>
>
> Review request for ranger, Dhaval Rajpara, Abhay Kulkarni, Madhan Neethiraj, Mahesh Bandal, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3502
> https://issues.apache.org/jira/browse/RANGER-3502
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Currently get zones API returns all zones even for users who are not authorized to zone modules. Restrict this API to only users who are authorized to zone module.
>
> Steps to reproduce:
>
> Create a internal user name, test_user1
> Remove the permission on Security Zone module for a user
> Login as test_user1 user to Ranger Admin, user should not be able to see Security Zone tab
> Access the API using following curls
> 1. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
> 2. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}"
> 3. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}"
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java PRE-CREATION
> agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java 12ad7e676
> security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java 46ff16f37
> security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java f5c1a882f
> security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java c30dba1ce
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 204cadbf0
> security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java fcf843370
> security-admin/src/main/resources/META-INF/jpa_named_queries.xml 539d600c8
> security-admin/src/main/webapp/scripts/controllers/Controller.js 74f2af513
> security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js f7d3b7316
> security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 11d471137
> security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayoutSidebar.js 67a577c20
> security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 2acf35f3d
> security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js e6ec81f27
> security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java f9ea26a31
> security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java d6384a694
>
>
> Diff: https://reviews.apache.org/r/73673/diff/6/
>
>
> Testing
> -------
>
> 1. mvn clean compile package install verify
> 2. Verified UI login with admin user
> 3. Verified curl (GET zones API) with admin user
> 4. Verified UI login with non-admin user having access to zone module
> 5. Verified curl (GET zones API) with non-admin user having access to zone module
> 6. Verified UI login with non-admin user having NO access to zone module
> 7. Verified curl (GET zones API) with non-admin user having NO access to zone module
> 8. Created /Updated deleted services
> 9. Created /Updated deleted policies
> 10. Created /Updated deleted zones & associated attached them to services
> 11. Verified behaviour on dashboard, report, access audit import & export functionalities
>
>
> Thanks,
>
> Kishor Gollapalliwar
>
>
Re: Review Request 73673: RANGER-3502: Make GET zone APIs accessible to authorized users only
Posted by Kishor Gollapalliwar <ki...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73673/
-----------------------------------------------------------
(Updated Dec. 6, 2021, 12:22 p.m.)
Review request for ranger, Dhaval Rajpara, Abhay Kulkarni, Madhan Neethiraj, Mahesh Bandal, Nitin Galave, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, Vishal Suvagia, and Velmurugan Periasamy.
Bugs: RANGER-3502
https://issues.apache.org/jira/browse/RANGER-3502
Repository: ranger
Description
-------
Currently get zones API returns all zones even for users who are not authorized to zone modules. Restrict this API to only users who are authorized to zone module.
Steps to reproduce:
Create a internal user name, test_user1
Remove the permission on Security Zone module for a user
Login as test_user1 user to Ranger Admin, user should not be able to see Security Zone tab
Access the API using following curls
1. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
2. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}"
3. curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}"
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerSecurityZoneHeaderInfo.java PRE-CREATION
agents-common/src/main/java/org/apache/ranger/plugin/model/RangerServiceHeaderInfo.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java 12ad7e676
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneDao.java 46ff16f37
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefServiceDao.java f5c1a882f
security-admin/src/main/java/org/apache/ranger/db/XXSecurityZoneRefTagServiceDao.java c30dba1ce
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 204cadbf0
security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java fcf843370
security-admin/src/main/resources/META-INF/jpa_named_queries.xml 539d600c8
security-admin/src/main/webapp/scripts/controllers/Controller.js 74f2af513
security-admin/src/main/webapp/scripts/views/UploadServicePolicy.js f7d3b7316
security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayout.js 11d471137
security-admin/src/main/webapp/scripts/views/policymanager/ServiceLayoutSidebar.js 67a577c20
security-admin/src/main/webapp/scripts/views/reports/AuditLayout.js 2acf35f3d
security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js e6ec81f27
security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java f9ea26a31
security-admin/src/test/java/org/apache/ranger/rest/TestSecurityZoneREST.java d6384a694
Diff: https://reviews.apache.org/r/73673/diff/6/
Changes: https://reviews.apache.org/r/73673/diff/5-6/
Testing
-------
1. mvn clean compile package install verify
2. Verified UI login with admin user
3. Verified curl (GET zones API) with admin user
4. Verified UI login with non-admin user having access to zone module
5. Verified curl (GET zones API) with non-admin user having access to zone module
6. Verified UI login with non-admin user having NO access to zone module
7. Verified curl (GET zones API) with non-admin user having NO access to zone module
8. Created /Updated deleted services
9. Created /Updated deleted policies
10. Created /Updated deleted zones & associated attached them to services
11. Verified behaviour on dashboard, report, access audit import & export functionalities
Thanks,
Kishor Gollapalliwar