[RANGER-2642] Grant/Revoke REST invocations by non-service users should not specify resource owner - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: master
Fix Version/s: master, 2.1.0
Component/s: Ranger
Labels:
None

Description

If Grant/Revoke REST API is invoked by a user which is not a admin or not listed in policy.grantrevoke.auth.users config parameter value, then resource being granted permission to should not specify ownership information. Otherwise, such user may be able to modify a resource for which it does not have delegated-admin privilege.

Attachments

Activity

People

Assignee:: Abhay Kulkarni

Reporter:: Abhay Kulkarni

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 08/Nov/19 18:06

Updated:: 15/Nov/19 22:02

Resolved:: 15/Nov/19 22:02