You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2021/10/04 15:05:32 UTC
Review Request 73627: RANGER-3462: User with delegated admin
permission on a resource cannot fetch policy for the resource
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/
-----------------------------------------------------------
Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-3462
https://issues.apache.org/jira/browse/RANGER-3462
Repository: ranger
Description
-------
Steps to reproduce the issue:
Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
Log in as bob, and edited the policy item for bob: removed Write permission.
After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
Fix involves:
1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
2. For admin users, updates to permissions are not checked.
3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
4. For other users all requested permissions are checked against other delegated-admin policies.
Diffs
-----
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 3cd289cc2
security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 7fdda9a1e
Diff: https://reviews.apache.org/r/73627/diff/1/
Testing
-------
Verified the fix by testing the repro scenario outlined above.
Passed all unit tests.
Thanks,
Abhay Kulkarni
Re: Review Request 73627: RANGER-3462: User with delegated admin
permission on a resource cannot fetch policy for the resource
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
> On Oct. 5, 2021, 1:23 a.m., Madhan Neethiraj wrote:
> > Abhay - updates look good. Please review following methods as well: grantAccess(), revokeAccess().
Reviewed
- Abhay
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223565
-----------------------------------------------------------
On Oct. 5, 2021, 12:27 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
>
> (Updated Oct. 5, 2021, 12:27 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3462
> https://issues.apache.org/jira/browse/RANGER-3462
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Steps to reproduce the issue:
>
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
>
>
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other delegated-admin policies.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java f1123d19c
>
>
> Diff: https://reviews.apache.org/r/73627/diff/2/
>
>
> Testing
> -------
>
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 73627: RANGER-3462: User with delegated admin
permission on a resource cannot fetch policy for the resource
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223565
-----------------------------------------------------------
Abhay - updates look good. Please review following methods as well: grantAccess(), revokeAccess().
- Madhan Neethiraj
On Oct. 5, 2021, 12:27 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
>
> (Updated Oct. 5, 2021, 12:27 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3462
> https://issues.apache.org/jira/browse/RANGER-3462
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Steps to reproduce the issue:
>
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
>
>
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other delegated-admin policies.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java f1123d19c
>
>
> Diff: https://reviews.apache.org/r/73627/diff/2/
>
>
> Testing
> -------
>
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 73627: RANGER-3462: User with delegated admin
permission on a resource cannot fetch policy for the resource
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223568
-----------------------------------------------------------
Ship it!
Ship It!
- Madhan Neethiraj
On Oct. 5, 2021, 2:38 a.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
>
> (Updated Oct. 5, 2021, 2:38 a.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3462
> https://issues.apache.org/jira/browse/RANGER-3462
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Steps to reproduce the issue:
>
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
>
>
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other delegated-admin policies.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java f1123d19c
>
>
> Diff: https://reviews.apache.org/r/73627/diff/3/
>
>
> Testing
> -------
>
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 73627: RANGER-3462: User with delegated admin
permission on a resource cannot fetch policy for the resource
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/
-----------------------------------------------------------
(Updated Oct. 5, 2021, 2:38 a.m.)
Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Changes as a result of tests run
Bugs: RANGER-3462
https://issues.apache.org/jira/browse/RANGER-3462
Repository: ranger
Description
-------
Steps to reproduce the issue:
Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
Log in as bob, and edited the policy item for bob: removed Write permission.
After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
Fix involves:
1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
2. For admin users, updates to permissions are not checked.
3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
4. For other users all requested permissions are checked against other delegated-admin policies.
Diffs (updated)
-----
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java f1123d19c
Diff: https://reviews.apache.org/r/73627/diff/3/
Changes: https://reviews.apache.org/r/73627/diff/2-3/
Testing
-------
Verified the fix by testing the repro scenario outlined above.
Passed all unit tests.
Thanks,
Abhay Kulkarni
Re: Review Request 73627: RANGER-3462: User with delegated admin
permission on a resource cannot fetch policy for the resource
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/
-----------------------------------------------------------
(Updated Oct. 5, 2021, 12:27 a.m.)
Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
Updated based on suggested updates to the delegated-admin treatment for reading and writing.
Bugs: RANGER-3462
https://issues.apache.org/jira/browse/RANGER-3462
Repository: ranger
Description
-------
Steps to reproduce the issue:
Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
Log in as bob, and edited the policy item for bob: removed Write permission.
After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
Fix involves:
1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
2. For admin users, updates to permissions are not checked.
3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
4. For other users all requested permissions are checked against other delegated-admin policies.
Diffs (updated)
-----
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java f1123d19c
Diff: https://reviews.apache.org/r/73627/diff/2/
Changes: https://reviews.apache.org/r/73627/diff/1-2/
Testing
-------
Verified the fix by testing the repro scenario outlined above.
Passed all unit tests.
Thanks,
Abhay Kulkarni
Re: Review Request 73627: RANGER-3462: User with delegated admin
permission on a resource cannot fetch policy for the resource
Posted by Madhan Neethiraj <ma...@apache.org>.
> On Oct. 4, 2021, 7:57 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
> > Line 196 (original), 212 (patched)
> > <https://reviews.apache.org/r/73627/diff/1/?file=2253489#file2253489line212>
> >
> > If the requirement is to return true when current user has 'delegate-admin' for at least one permission listed in the policy, the only change needed will be to add following after #226:
> >
> > if (accessTypes.removeAll(allowedAccesses)) {
> > ret = true;
> > break;
> > }
> >
> > No change should be needed in getAllAccessTypes() method - #199 above.
>
> Abhay Kulkarni wrote:
> The requirement is not clear on this. It should not be possible for a delegated-admin user to grant some other user more permissions than his own permissions. Can delegated-admin user grant more permissions to the "admin" user than his own permissions? If a policy-item contains both "admin" user and a non-privileged user, can that policy-item contain more permissions than delegated-admin users permissions?
>
> If we limit the requirement to "return true when current user has 'delegate-admin' for at least one permission", then there will be a policy where a user have more permissions than permissions for the granting delegated-admin user.
I think it will help to distinguish policy-read and policy-update:
- an user should be allowed to read a policy if the user has delegate-admin on at least one access-type listed in the policy
- an user should be allowed to create a policy only if the user has delegate-admin on all access-types listed in the policy
- an user should be allowed to delete a policy only if the user has delegate-admin on all access-types listed in the policy being deleted
- an user should be allowed to update a policy only if the user has delegate-admin on all access-types listed in both existing policy and updated policy
- Madhan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223561
-----------------------------------------------------------
On Oct. 4, 2021, 3:05 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
>
> (Updated Oct. 4, 2021, 3:05 p.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3462
> https://issues.apache.org/jira/browse/RANGER-3462
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Steps to reproduce the issue:
>
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
>
>
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other delegated-admin policies.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 3cd289cc2
> security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 7fdda9a1e
>
>
> Diff: https://reviews.apache.org/r/73627/diff/1/
>
>
> Testing
> -------
>
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 73627: RANGER-3462: User with delegated admin
permission on a resource cannot fetch policy for the resource
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
> On Oct. 4, 2021, 7:57 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
> > Line 196 (original), 212 (patched)
> > <https://reviews.apache.org/r/73627/diff/1/?file=2253489#file2253489line212>
> >
> > If the requirement is to return true when current user has 'delegate-admin' for at least one permission listed in the policy, the only change needed will be to add following after #226:
> >
> > if (accessTypes.removeAll(allowedAccesses)) {
> > ret = true;
> > break;
> > }
> >
> > No change should be needed in getAllAccessTypes() method - #199 above.
>
> Abhay Kulkarni wrote:
> The requirement is not clear on this. It should not be possible for a delegated-admin user to grant some other user more permissions than his own permissions. Can delegated-admin user grant more permissions to the "admin" user than his own permissions? If a policy-item contains both "admin" user and a non-privileged user, can that policy-item contain more permissions than delegated-admin users permissions?
>
> If we limit the requirement to "return true when current user has 'delegate-admin' for at least one permission", then there will be a policy where a user have more permissions than permissions for the granting delegated-admin user.
>
> Madhan Neethiraj wrote:
> I think it will help to distinguish policy-read and policy-update:
> - an user should be allowed to read a policy if the user has delegate-admin on at least one access-type listed in the policy
> - an user should be allowed to create a policy only if the user has delegate-admin on all access-types listed in the policy
> - an user should be allowed to delete a policy only if the user has delegate-admin on all access-types listed in the policy being deleted
> - an user should be allowed to update a policy only if the user has delegate-admin on all access-types listed in both existing policy and updated policy
Another case to consider is if the delegated-admin user changes a policy to remove his own delegated-admin privilege.
- Abhay
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223561
-----------------------------------------------------------
On Oct. 4, 2021, 3:05 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
>
> (Updated Oct. 4, 2021, 3:05 p.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3462
> https://issues.apache.org/jira/browse/RANGER-3462
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Steps to reproduce the issue:
>
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
>
>
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other delegated-admin policies.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 3cd289cc2
> security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 7fdda9a1e
>
>
> Diff: https://reviews.apache.org/r/73627/diff/1/
>
>
> Testing
> -------
>
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 73627: RANGER-3462: User with delegated admin
permission on a resource cannot fetch policy for the resource
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
> On Oct. 4, 2021, 7:57 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
> > Line 196 (original), 212 (patched)
> > <https://reviews.apache.org/r/73627/diff/1/?file=2253489#file2253489line212>
> >
> > If the requirement is to return true when current user has 'delegate-admin' for at least one permission listed in the policy, the only change needed will be to add following after #226:
> >
> > if (accessTypes.removeAll(allowedAccesses)) {
> > ret = true;
> > break;
> > }
> >
> > No change should be needed in getAllAccessTypes() method - #199 above.
The requirement is not clear on this. It should not be possible for a delegated-admin user to grant some other user more permissions than his own permissions. Can delegated-admin user grant more permissions to the "admin" user than his own permissions? If a policy-item contains both "admin" user and a non-privileged user, can that policy-item contain more permissions than delegated-admin users permissions?
If we limit the requirement to "return true when current user has 'delegate-admin' for at least one permission", then there will be a policy where a user have more permissions than permissions for the granting delegated-admin user.
- Abhay
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223561
-----------------------------------------------------------
On Oct. 4, 2021, 3:05 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
>
> (Updated Oct. 4, 2021, 3:05 p.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3462
> https://issues.apache.org/jira/browse/RANGER-3462
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Steps to reproduce the issue:
>
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
>
>
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other delegated-admin policies.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 3cd289cc2
> security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 7fdda9a1e
>
>
> Diff: https://reviews.apache.org/r/73627/diff/1/
>
>
> Testing
> -------
>
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>
Re: Review Request 73627: RANGER-3462: User with delegated admin
permission on a resource cannot fetch policy for the resource
Posted by Madhan Neethiraj <ma...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73627/#review223561
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java
Line 196 (original), 212 (patched)
<https://reviews.apache.org/r/73627/#comment312643>
If the requirement is to return true when current user has 'delegate-admin' for at least one permission listed in the policy, the only change needed will be to add following after #226:
if (accessTypes.removeAll(allowedAccesses)) {
ret = true;
break;
}
No change should be needed in getAllAccessTypes() method - #199 above.
security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
Lines 268 (patched)
<https://reviews.apache.org/r/73627/#comment312642>
isZoneAdmin() => isZoneAuditor()
- Madhan Neethiraj
On Oct. 4, 2021, 3:05 p.m., Abhay Kulkarni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73627/
> -----------------------------------------------------------
>
> (Updated Oct. 4, 2021, 3:05 p.m.)
>
>
> Review request for ranger, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3462
> https://issues.apache.org/jira/browse/RANGER-3462
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Steps to reproduce the issue:
>
> Create users in Ranger alice, bob, and charlie. Alice has admin role, bob and charlie has user role.
> Create an HDFS policy with name "test-delegate-admin" as alice. In that policy there 2 policy items; one for bob, and the other for alice with RWX permissions with "Delegate Admin".
> Log in as bob, and edited the policy item for bob: removed Write permission.
> After saving the policy bob is not able to see to policy anymore. It only becomes visible after the Write permission is restored.
>
>
> Fix involves:
> 1. When a policy is updated, the policy-items are segregated based on users specified in the policy-item.
> 2. For admin users, updates to permissions are not checked.
> 3. For the user/group/role updating the policy, only admin permission is checked in all delegated-admin policies.
> 4. For other users all requested permissions are checked against other delegated-admin policies.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdmin.java e2a0884a6
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminCache.java a6f0a1a2a
> security-admin/src/main/java/org/apache/ranger/biz/RangerPolicyAdminImpl.java 090384b7b
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 3cd289cc2
> security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 7fdda9a1e
>
>
> Diff: https://reviews.apache.org/r/73627/diff/1/
>
>
> Testing
> -------
>
> Verified the fix by testing the repro scenario outlined above.
> Passed all unit tests.
>
>
> Thanks,
>
> Abhay Kulkarni
>
>