ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pradeep Agrawal <pradeepagrawal8...@gmail.com>
Subject Re: Review Request 68096: RANGER-2168: Add service admin user through service config
Date Wed, 01 Aug 2018 10:11:05 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68096/
-----------------------------------------------------------

(Updated Aug. 1, 2018, 10:11 a.m.)


Review request for ranger, Ankita Sinha, deepak sharma, Gautam Borad, Abhay Kulkarni, Madhan
Neethiraj, Mehul Parikh, suja s, and Velmurugan Periasamy.


Changes
-------

Addressed Review comments and tested the mentioned use cases again.


Bugs: RANGER-2168
    https://issues.apache.org/jira/browse/RANGER-2168


Repository: ranger


Description
-------

**Problem Statement:** Currently only user with admin role or a delegated admin user can create
the policy. We can possibly have a service admin user who can be allowed to create policy.
Such users can be configured in the service config itself and can be removed by admin anytime.

**Proposed Solution:** 
Allow admin/keyadmin role users to add a custom service config property 'service.admin.users'
through service page. 
Users provided in 'service.admin.users' can be internal or external and can have any role.
Users provided in 'service.admin.users' should able to create/update/delete/view policies
of that ranger service.


Diffs (updated)
-----

  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 10d8aa209 
  security-admin/src/main/java/org/apache/ranger/db/XXServiceConfigMapDao.java 5e94855c8 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java e4449df2e 
  security-admin/src/main/resources/META-INF/jpa_named_queries.xml d2a6f4b09 


Diff: https://reviews.apache.org/r/68096/diff/2/

Changes: https://reviews.apache.org/r/68096/diff/1-2/


Testing
-------

**Steps Performed:**
Created an internal user testuser in the Ranger admin.
Added a hive service 'hivedev' in Ranger.

**Action-1**: Logged in from 'testuser' and tried to create a policy 'testpolicy' in 'hivedev'
service.
**Expected Behaviour**: Policy creation should fail.
**Actual Behaviour**: Policy creation failed.

**Action-2.1**: Logged in from ranger admin user and added a custom property 'service.admin.users'
in 'hivedev' service and provided value 'testuser' in the given text box. Saved the 'hivedev'
service.
**Action-2.2**: Logged in from 'testuser' and tried to create a policy 'testpolicy' in 'hivedev'
service.
**Expected Behaviour**: Policy creation should successful.
**Actual Behaviour**: Policy creation finished successfully.

Tested Policy updation and deletion which also executed successfully.

**Action-3.1**: Logged in from ranger admin user and removed custom property 'service.admin.users'
from 'hivedev' service. Saved the 'hivedev' service.
**Action-3.2**: Logged in from 'testuser' and tried to create a policy 'testpolicy1' in 'hivedev'
service.
**Expected Behaviour**: Policy creation should fail.
**Actual Behaviour**: Policy creation failed.


Thanks,

Pradeep Agrawal


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message