You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2021/10/04 15:05:32 UTC

Review Request 73627: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/
-----------------------------------------------------------

Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.

Bugs: RANGER-3462
https://issues.apache.org/jira/browse/RANGER-3462

Repository: ranger

Description
-------

Steps to reproduce the issue:

Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
Log in as bob, and edited the policy item for bob: removed Write permission.
After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.

Fix involves:
1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
2. For admin users, updates to permissions are not checked.
3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
4. For other users all requested permissions are checked against other delegated-admin policies.

Diffs
-----

security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 3cd289cc2
security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 7fdda9a1e

Diff: https://reviews.apache.org/r/73627/diff/1/

Testing
-------

Verified the fix by testing the repro scenario outlined above.
Passed all unit tests.

Thanks,

Abhay Kulkarni

Re: Review Request 73627: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource

Posted by Abhay Kulkarni <ak...@hortonworks.com>.


> On Oct. 5, 2021, 1:23 a.m., Madhan Neethiraj wrote:
> > Abhay - updates look good. Please review following methods as well: grantAccess(), revokeAccess().

Reviewed


- Abhay


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223565
-----------------------------------------------------------


On Oct. 5, 2021, 12:27 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
> 
> (Updated Oct. 5, 2021, 12:27 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3462
>     https://issues.apache.org/jira/browse/RANGER-3462
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Steps to reproduce the issue:
> 
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
> 
> 
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other delegated-admin policies.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java f1123d19c 
> 
> 
> Diff: https://reviews.apache.org/r/73627/diff/2/
> 
> 
> Testing
> -------
> 
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 73627: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223565
-----------------------------------------------------------



Abhay - updates look good. Please review following methods as well: grantAccess(), revokeAccess().

- Madhan Neethiraj


On Oct. 5, 2021, 12:27 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
> 
> (Updated Oct. 5, 2021, 12:27 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3462
>     https://issues.apache.org/jira/browse/RANGER-3462
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Steps to reproduce the issue:
> 
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
> 
> 
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other delegated-admin policies.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java f1123d19c 
> 
> 
> Diff: https://reviews.apache.org/r/73627/diff/2/
> 
> 
> Testing
> -------
> 
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 73627: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223568
-----------------------------------------------------------


Ship it!




Ship It!

- Madhan Neethiraj


On Oct. 5, 2021, 2:38 a.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
> 
> (Updated Oct. 5, 2021, 2:38 a.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3462
>     https://issues.apache.org/jira/browse/RANGER-3462
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Steps to reproduce the issue:
> 
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
> 
> 
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other delegated-admin policies.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java f1123d19c 
> 
> 
> Diff: https://reviews.apache.org/r/73627/diff/3/
> 
> 
> Testing
> -------
> 
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 73627: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource

Posted by Abhay Kulkarni <ak...@hortonworks.com>.

(Updated Oct. 5, 2021, 2:38 a.m.)

Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.

Changes
-------

Changes as a result of tests run

Bugs: RANGER-3462
https://issues.apache.org/jira/browse/RANGER-3462

Repository: ranger

Description
-------

Steps to reproduce the issue:

Diffs (updated)
-----

Diff: https://reviews.apache.org/r/73627/diff/3/

Changes: https://reviews.apache.org/r/73627/diff/2-3/

Testing
-------

Verified the fix by testing the repro scenario outlined above.
Passed all unit tests.

Thanks,

Abhay Kulkarni

Re: Review Request 73627: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource

Posted by Abhay Kulkarni <ak...@hortonworks.com>.

(Updated Oct. 5, 2021, 12:27 a.m.)

Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.

Changes
-------

Updated based on suggested updates to the delegated-admin treatment for reading and writing.

Bugs: RANGER-3462
https://issues.apache.org/jira/browse/RANGER-3462

Repository: ranger

Description
-------

Steps to reproduce the issue:

Diffs (updated)
-----

Diff: https://reviews.apache.org/r/73627/diff/2/

Changes: https://reviews.apache.org/r/73627/diff/1-2/

Testing
-------

Verified the fix by testing the repro scenario outlined above.
Passed all unit tests.

Thanks,

Abhay Kulkarni

Re: Review Request 73627: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource

Posted by Madhan Neethiraj <ma...@apache.org>.


> On Oct. 4, 2021, 7:57 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
> > Line 196 (original), 212 (patched)
> > <https://reviews.apache.org/r/73627/diff/1/?file=2253489#file2253489line212>
> >
> >     If the requirement is to return true when current user has 'delegate-admin' for at least one permission listed in the policy, the only change needed will be to add following after #226:
> >     
> >       if (accessTypes.removeAll(allowedAccesses)) {
> >         ret = true;
> >         break;
> >       }
> >     
> >     No change should be needed in getAllAccessTypes() method - #199 above.
> 
> Abhay Kulkarni wrote:
>     The requirement is not clear on this. It should not be possible for a delegated-admin user to grant some other user more permissions than his own permissions. Can delegated-admin user grant more permissions to the "admin" user than his own permissions? If a policy-item contains both "admin" user and a non-privileged user, can that policy-item contain more permissions than delegated-admin users permissions?
>     
>     If we limit the requirement to "return true when current user has 'delegate-admin' for at least one permission", then there will be a policy where a user have more permissions than permissions for the granting delegated-admin user.

I think it will help to distinguish policy-read and policy-update:
 - an user should be allowed to read a policy if the user has delegate-admin on at least one access-type listed in the policy
 - an user should be allowed to create a policy only if the user has delegate-admin on all access-types listed in the policy
 - an user should be allowed to delete a policy only if the user has delegate-admin on all access-types listed in the policy being deleted
 - an user should be allowed to update a policy only if the user has delegate-admin on all access-types listed in both existing policy and updated policy


- Madhan


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223561
-----------------------------------------------------------


On Oct. 4, 2021, 3:05 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
> 
> (Updated Oct. 4, 2021, 3:05 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3462
>     https://issues.apache.org/jira/browse/RANGER-3462
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Steps to reproduce the issue:
> 
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
> 
> 
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other delegated-admin policies.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 3cd289cc2 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 7fdda9a1e 
> 
> 
> Diff: https://reviews.apache.org/r/73627/diff/1/
> 
> 
> Testing
> -------
> 
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 73627: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource

Posted by Abhay Kulkarni <ak...@hortonworks.com>.


> On Oct. 4, 2021, 7:57 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
> > Line 196 (original), 212 (patched)
> > <https://reviews.apache.org/r/73627/diff/1/?file=2253489#file2253489line212>
> >
> >     If the requirement is to return true when current user has 'delegate-admin' for at least one permission listed in the policy, the only change needed will be to add following after #226:
> >     
> >       if (accessTypes.removeAll(allowedAccesses)) {
> >         ret = true;
> >         break;
> >       }
> >     
> >     No change should be needed in getAllAccessTypes() method - #199 above.
> 
> Abhay Kulkarni wrote:
>     The requirement is not clear on this. It should not be possible for a delegated-admin user to grant some other user more permissions than his own permissions. Can delegated-admin user grant more permissions to the "admin" user than his own permissions? If a policy-item contains both "admin" user and a non-privileged user, can that policy-item contain more permissions than delegated-admin users permissions?
>     
>     If we limit the requirement to "return true when current user has 'delegate-admin' for at least one permission", then there will be a policy where a user have more permissions than permissions for the granting delegated-admin user.
> 
> Madhan Neethiraj wrote:
>     I think it will help to distinguish policy-read and policy-update:
>      - an user should be allowed to read a policy if the user has delegate-admin on at least one access-type listed in the policy
>      - an user should be allowed to create a policy only if the user has delegate-admin on all access-types listed in the policy
>      - an user should be allowed to delete a policy only if the user has delegate-admin on all access-types listed in the policy being deleted
>      - an user should be allowed to update a policy only if the user has delegate-admin on all access-types listed in both existing policy and updated policy

Another case to consider is if the delegated-admin user changes a policy to remove his own delegated-admin privilege.


- Abhay


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223561
-----------------------------------------------------------


On Oct. 4, 2021, 3:05 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
> 
> (Updated Oct. 4, 2021, 3:05 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3462
>     https://issues.apache.org/jira/browse/RANGER-3462
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Steps to reproduce the issue:
> 
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
> 
> 
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other delegated-admin policies.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 3cd289cc2 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 7fdda9a1e 
> 
> 
> Diff: https://reviews.apache.org/r/73627/diff/1/
> 
> 
> Testing
> -------
> 
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 73627: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource

Posted by Abhay Kulkarni <ak...@hortonworks.com>.


> On Oct. 4, 2021, 7:57 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
> > Line 196 (original), 212 (patched)
> > <https://reviews.apache.org/r/73627/diff/1/?file=2253489#file2253489line212>
> >
> >     If the requirement is to return true when current user has 'delegate-admin' for at least one permission listed in the policy, the only change needed will be to add following after #226:
> >     
> >       if (accessTypes.removeAll(allowedAccesses)) {
> >         ret = true;
> >         break;
> >       }
> >     
> >     No change should be needed in getAllAccessTypes() method - #199 above.

The requirement is not clear on this. It should not be possible for a delegated-admin user to grant some other user more permissions than his own permissions. Can delegated-admin user grant more permissions to the "admin" user than his own permissions? If a policy-item contains both "admin" user and a non-privileged user, can that policy-item contain more permissions than delegated-admin users permissions?

If we limit the requirement to "return true when current user has 'delegate-admin' for at least one permission", then there will be a policy where a user have more permissions than permissions for the granting delegated-admin user.


- Abhay


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223561
-----------------------------------------------------------


On Oct. 4, 2021, 3:05 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
> 
> (Updated Oct. 4, 2021, 3:05 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3462
>     https://issues.apache.org/jira/browse/RANGER-3462
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Steps to reproduce the issue:
> 
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
> 
> 
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other delegated-admin policies.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 3cd289cc2 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 7fdda9a1e 
> 
> 
> Diff: https://reviews.apache.org/r/73627/diff/1/
> 
> 
> Testing
> -------
> 
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 73627: RANGER-3462: User with delegated admin permission on a resource cannot fetch policy for the resource

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223561
-----------------------------------------------------------




security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
Line 196 (original), 212 (patched)
<https://reviews.apache.org/r/73627/#comment312643>

    If the requirement is to return true when current user has 'delegate-admin' for at least one permission listed in the policy, the only change needed will be to add following after #226:
    
      if (accessTypes.removeAll(allowedAccesses)) {
        ret = true;
        break;
      }
    
    No change should be needed in getAllAccessTypes() method - #199 above.



security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
Lines 268 (patched)
<https://reviews.apache.org/r/73627/#comment312642>

    isZoneAdmin() => isZoneAuditor()


- Madhan Neethiraj


On Oct. 4, 2021, 3:05 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
> 
> (Updated Oct. 4, 2021, 3:05 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3462
>     https://issues.apache.org/jira/browse/RANGER-3462
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Steps to reproduce the issue:
> 
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
> 
> 
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other delegated-admin policies.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 3cd289cc2 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 7fdda9a1e 
> 
> 
> Diff: https://reviews.apache.org/r/73627/diff/1/
> 
> 
> Testing
> -------
> 
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>