This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch ranger-2.8
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.8 by this push:
new ee575c4bc RANGER-4771: Remove the calls to ensureAdminAccess() in
grantAccess() and revokeAccess()
ee575c4bc is described below
commit ee575c4bce0fa5e32e4ce324edc8cf121aee1897
Author: sanket-shelar <[email protected]>
AuthorDate: Thu Oct 16 21:08:03 2025 +0530
RANGER-4771: Remove the calls to ensureAdminAccess() in grantAccess() and
revokeAccess()
Signed-off-by: Kishor Gollapalliwar <[email protected]>
(cherry picked from commit c731ac3a53f957bbd117c3d38b12c5b34c18d8ce)
---
.../java/org/apache/ranger/rest/ServiceREST.java | 45 ++++++++++++++++++++--
.../org/apache/ranger/rest/TestServiceREST.java | 6 ++-
2 files changed, 46 insertions(+), 5 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 8fe2552cb..68f166230 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -63,6 +63,7 @@
import org.apache.ranger.biz.ServiceDBStore;
import org.apache.ranger.biz.ServiceDBStore.JSON_FILE_NAME_TYPE;
import org.apache.ranger.biz.ServiceMgr;
+import org.apache.ranger.biz.UserMgr;
import org.apache.ranger.biz.TagDBStore;
import org.apache.ranger.biz.XUserMgr;
import org.apache.ranger.common.AppConstants;
@@ -239,7 +240,10 @@ public class ServiceREST {
@Autowired
RangerTransactionSynchronizationAdapter
rangerTransactionSynchronizationAdapter;
-
+
+ @Autowired
+ UserMgr userMgrGrantor;
+
private RangerPolicyEngineOptions delegateAdminOptions;
private RangerPolicyEngineOptions policySearchAdminOptions;
private RangerPolicyEngineOptions defaultAdminOptions;
@@ -1280,6 +1284,9 @@ public RESTResponse grantAccess(@PathParam("serviceName")
String serviceName, Gr
if(policyUpdated) {
policy.setZoneName(zoneName);
+
+
ensureAdminAccess(policy, userName);
+
svcStore.updatePolicy(policy);
} else {
LOG.error("processGrantRequest processing failed");
@@ -1317,6 +1324,8 @@ public RESTResponse grantAccess(@PathParam("serviceName")
String serviceName, Gr
policy.addPolicyItem(policyItem);
policy.setZoneName(zoneName);
+ ensureAdminAccess(policy,
userName);
+
svcStore.createPolicy(policy);
}
} catch(WebApplicationException excp) {
@@ -1394,6 +1403,9 @@ public RESTResponse
secureGrantAccess(@PathParam("serviceName") String serviceNa
if(policyUpdated) {
policy.setZoneName(zoneName);
+
+
ensureAdminAccess(policy, userName);
+
svcStore.updatePolicy(policy);
} else {
LOG.error("processSecureGrantRequest processing failed");
@@ -1431,6 +1443,8 @@ public RESTResponse
secureGrantAccess(@PathParam("serviceName") String serviceNa
policy.addPolicyItem(policyItem);
policy.setZoneName(zoneName);
+
ensureAdminAccess(policy, userName);
+
svcStore.createPolicy(policy);
}
}else{
@@ -1512,6 +1526,9 @@ public RESTResponse
revokeAccess(@PathParam("serviceName") String serviceName, G
if(policyUpdated) {
policy.setZoneName(zoneName);
+
+
ensureAdminAccess(policy, userName);
+
svcStore.updatePolicy(policy);
} else {
LOG.error("processRevokeRequest processing failed");
@@ -1594,6 +1611,9 @@ public RESTResponse
secureRevokeAccess(@PathParam("serviceName") String serviceN
if(policyUpdated) {
policy.setZoneName(zoneName);
+
+
ensureAdminAccess(policy, userName);
+
svcStore.updatePolicy(policy);
} else {
LOG.error("processSecureRevokeRequest processing failed");
@@ -3629,9 +3649,26 @@ private List<RangerPolicy>
applyAdminAccessFilter(List<RangerPolicy> policies) {
}
void ensureAdminAccess(RangerPolicy policy) {
- boolean isAdmin = bizUtil.isAdmin();
- boolean isKeyAdmin = bizUtil.isKeyAdmin();
- String userName = bizUtil.getCurrentUserLoginId();
+ ensureAdminAccess(policy, null);
+ }
+
+ void ensureAdminAccess(RangerPolicy policy, String grantor) {
+ final String userName;
+ final boolean isAdmin;
+ final boolean isKeyAdmin;
+
+ if (StringUtils.isEmpty(grantor)) {
+ userName = bizUtil.getCurrentUserLoginId();
+ isAdmin = bizUtil.isAdmin();
+ isKeyAdmin = bizUtil.isKeyAdmin();
+ } else {
+ Collection<String> userRoles =
userMgrGrantor.getRolesByLoginId(grantor);
+
+ userName = grantor;
+ isAdmin =
userRoles.contains(RangerConstants.ROLE_SYS_ADMIN);
+ isKeyAdmin =
userRoles.contains(RangerConstants.ROLE_KEY_ADMIN);
+ }
+
boolean isSvcAdmin = isAdmin ||
svcStore.isServiceAdminUser(policy.getService(), userName);
if (!isAdmin && !isKeyAdmin && !isSvcAdmin) {
diff --git
a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index fad4552a9..5532b7817 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -39,6 +39,7 @@
import org.apache.ranger.biz.ServiceDBStore.JSON_FILE_NAME_TYPE;
import org.apache.ranger.biz.ServiceMgr;
import org.apache.ranger.biz.TagDBStore;
+import org.apache.ranger.biz.UserMgr;
import org.apache.ranger.biz.XUserMgr;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.MessageEnums;
@@ -224,7 +225,8 @@ public class TestServiceREST {
@Rule
public ExpectedException thrown = ExpectedException.none();
-
+ @Mock
+ UserMgr userMgrGrantor;
private String capabilityVector;
private final String grantor = "test-grantor-1";
@@ -2304,6 +2306,7 @@ public void test14bGrantAccess() throws Exception {
Mockito.when(xUserService.getXUserByUserName(Mockito.anyString())).thenReturn(Mockito.mock(VXUser.class));
Mockito.when(svcStore.getServiceByName(Mockito.anyString())).thenReturn(Mockito.mock(RangerService.class));
Mockito.when(bizUtil.isUserRangerAdmin(Mockito.anyString())).thenReturn(true);
+
Mockito.when(userMgrGrantor.getRolesByLoginId(Mockito.anyString())).thenReturn(Arrays.asList("ROLE_SYS_ADMIN"));
RESTResponse restResponse = serviceREST.grantAccess(serviceName,
grantRequestObj, request);
Mockito.verify(svcStore,
Mockito.times(1)).createPolicy(Mockito.any(RangerPolicy.class));
@@ -2326,6 +2329,7 @@ public void test64SecureGrantAccess(){
mockValidateGrantRevokeRequest();
Mockito.when(bizUtil.isAdmin()).thenReturn(true);
Mockito.when(bizUtil.isUserServiceAdmin(Mockito.any(RangerService.class),
Mockito.anyString())).thenReturn(true);
+
Mockito.when(userMgrGrantor.getRolesByLoginId(Mockito.anyString())).thenReturn(Arrays.asList("ROLE_SYS_ADMIN"));
RESTResponse restResponse;
try {
restResponse =
serviceREST.secureGrantAccess(serviceName, grantRequestObj, request);
