You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Madhan Neethiraj <ma...@apache.org> on 2022/12/02 08:25:14 UTC
Re: Review Request 74189: RANGER-3883 : POST/PUT REST API's work even when invalid user id or Id is used in the URL
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74189/#review224938
-----------------------------------------------------------
security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
Lines 314 (patched)
<https://reviews.apache.org/r/74189/#comment313780>
To be consistent with other places, I suggest to handle changePassword.id == null as well, like:
} else if (changePassword.getId() == null) {
changePassword.setId(userId);
} else if (!changePassword.getId().equals(userId)) {
logger.warn("SECURITY:changePassword(): userId mismatch");
throw restErrorUtil.createRESTException("serverMsg.userRestUser",MessageEnums.DATA_NOT_FOUND, null, null,"");
}
security-admin/src/main/java/org/apache/ranger/rest/UserREST.java
Lines 346 (patched)
<https://reviews.apache.org/r/74189/#comment313781>
To be consistent with other places, I suggest to handle changePassword.id == null as well, like:
} else if (changeEmail.getId() == null) {
changeEmail.setId(userId);
} else if (!changeEmail.getId().equals(userId)) {
logger.warn("SECURITY:changePassword(): userId mismatch");
throw restErrorUtil.createRESTException("serverMsg.userRestUser",MessageEnums.DATA_NOT_FOUND, null, null,"");
}
- Madhan Neethiraj
On Nov. 29, 2022, 11:55 a.m., Ramachandran Krishnan wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/74189/
> -----------------------------------------------------------
>
> (Updated Nov. 29, 2022, 11:55 a.m.)
>
>
> Review request for ranger, Don Bosco Durai, Kirby Zhou, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, Subhrat Chaudhary, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-3883
> https://issues.apache.org/jira/browse/RANGER-3883
>
>
> Repository: ranger
>
>
> Description
> -------
>
> When a POST request is made to the following APIs return 200 status code even when the userId is invalid .
>
> When a POST/PUT request is made to the following APIs return 200 status code even when the userId or id is invalid.
>
> Ranger is not honouring Id
> /service/users/{USER_ID}/passwordchange
> /service/users/{USER_ID}/emailchange
> /assets/{id}
> /permission/{id}
> /services/{id}
> /definitions/{id}
> /secure/groups/{id}
> /policies/{id}
>
> Ideally, the APIs must return 404 or Bad request(400) not found when using an invalid userid or id in the URL
>
> But in this case, the POST/PUT request results in status code 200 instead of 400
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java a0ba3b750
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIs.java 2e7e90bb4
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java 293107f24
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 9bccf1089
> security-admin/src/main/java/org/apache/ranger/rest/UserREST.java 5fc18034b
> security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java dd12048ac
> security-admin/src/test/java/org/apache/ranger/rest/TestAssetREST.java abd4b1c1c
> security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIs.java 2bf5ee6c9
> security-admin/src/test/java/org/apache/ranger/rest/TestPublicAPIsv2.java 1069f013d
> security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 375135a5a
> security-admin/src/test/java/org/apache/ranger/rest/TestUserREST.java 48cd7face
> security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java 2b25ba813
>
>
> Diff: https://reviews.apache.org/r/74189/diff/4/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Ramachandran Krishnan
>
>