RANGER-3837: Changed ensureAdminAccess and getRoleIfAccessible so tha…

…t both admins and service admins can now get,create,edit,delete roles Signed-off-by: pradeep <pradeep@apache.org>
apache · Aug 23, 2022 · 8127577 · 8127577
1 parent 78940d6
commit 8127577
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
@@ -909,7 +909,7 @@ private void ensureAdminAccess(String serviceName, String userName) throws Excep
             effectiveUser = loggedInUser;
         }
 
-        if (!bizUtil.isUserRangerAdmin(effectiveUser)) {
+        if (!bizUtil.isUserRangerAdmin(effectiveUser) && !svcStore.isServiceAdminUser(serviceName, effectiveUser)) {
             throw new Exception("User " + effectiveUser + " does not have permission for this operation");
         }
     }
@@ -937,7 +937,7 @@ private RangerRole getRoleIfAccessible(String roleName, String serviceName, Stri
             effectiveUser = loggedInUser;
         }
         try {
-            if (!bizUtil.isUserRangerAdmin(effectiveUser)) {
+            if (!bizUtil.isUserRangerAdmin(effectiveUser) && !svcStore.isServiceAdminUser(serviceName, effectiveUser)) {
                 existingRole = roleStore.getRole(roleName);
                 ensureRoleAccess(effectiveUser, userGroups, existingRole);