RANGER-5425: Grant policies should show created by and updated by as … #788
+21
−12
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…users running the cmd instead of service users.
maheshbandal15
requested review from
dineshkumar-yadav,
kishorgollapalliwar,
maheshbandal15,
mneethiraj,
pradeepagrawal8184 and
rameeshm
mneethiraj
reviewed
Jan 7, 2026
|
|
||
| private Long resolveUserId(String userLoginId) { | ||
| Long userId = null; | ||
| if (Objects.equals(userLoginId, ContextUtil.getCurrentUserLoginId())) { |
Contributor
There was a problem hiding this comment.
userLoginId paramter name is misleading. The value sent is the name provided in the view object - which can be specified by callers of REST API to create/update policy/role/sevice/service-def, etc. This name should not be trusted.
The challenge with grant/revoke scenario is that the authenticated user (ContextUtil.getCurrentUserId()) can be the service-account, while the policy changes should be recorded as the grantor user - the payload value in GrantRevokeRequest.grantor. One approach to consider is to update grant/revoke calls to reset RangerSecurityContext with the identity of the grantor.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…users running the cmd instead of service users.
What changes were proposed in this pull request?
When grant policies are created the created and updated by should show user running the cmd, instead of service user. For this we have updated the logic which is setting the created by and updated by during policy creation.
How was this patch tested?
Local build passed, tested by creating grant policy and normal policy from ranger UI