You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Abhishek (Jira)" <ji...@apache.org> on 2023/02/15 11:23:00 UTC

[jira] [Updated] (RANGER-4086) An admin user without permissions on all permission modules is able to view permissions module page and assign permissions to self

     [ https://issues.apache.org/jira/browse/RANGER-4086?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Abhishek updated RANGER-4086:
-----------------------------
    Description: 
On the Ranger UI, create a new admin user and login as the newly created user in a different browser.
Then remove the permissions for the user on any module.
In the second browser, the newly created user is still able to access the permissions module page and is able to assign permissions to self.
Ideally, if a user does not have access to all the permission modules, then the user should not be able to edit permissions, 
or if a user tries to remove permissions for an admin user, it should result in an error or a notification stating that permissions for admin users can't be removed

  was:
On the Ranger UI, create a new admin user and login as the newly created user in a different browser.
Then remove the permissions for the user on any module.
In the second browser, the newly created user is still able to access the permissions module page and is able to assign permissions to self.
Ideally, if a user does not have access to all the permission modules, then the user should not be able to edit permissions.


> An admin user without permissions on all permission modules is able to view permissions module page and assign permissions to self
> ----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-4086
>                 URL: https://issues.apache.org/jira/browse/RANGER-4086
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Abhishek
>            Priority: Major
>
> On the Ranger UI, create a new admin user and login as the newly created user in a different browser.
> Then remove the permissions for the user on any module.
> In the second browser, the newly created user is still able to access the permissions module page and is able to assign permissions to self.
> Ideally, if a user does not have access to all the permission modules, then the user should not be able to edit permissions, 
> or if a user tries to remove permissions for an admin user, it should result in an error or a notification stating that permissions for admin users can't be removed



--
This message was sent by Atlassian Jira
(v8.20.10#820010)