RANGER-5399: Ranger: HTTP 403 - User '' lacks delegated-admin privilege when attempting to GRANT privilege on a database

Sanket-Shelar · Sanket-Shelar · commit 9190e3d198e8 · 2025-11-12T16:04:05.000+05:30
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -3220,7 +3220,7 @@ void ensureAdminAccess(RangerPolicy policy, String grantor) {
         final boolean isAdmin;
         final boolean isKeyAdmin;
 
-        if (StringUtils.isEmpty(grantor)) {
+        if (StringUtils.isNotEmpty(bizUtil.getCurrentUserLoginId())) {
             userName   = bizUtil.getCurrentUserLoginId();
             isAdmin    = bizUtil.isAdmin();
             isKeyAdmin = bizUtil.isKeyAdmin();
diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -1597,6 +1597,7 @@ public void test49importPoliciesFromFileAllowingOverride() throws Exception {
         Mockito.when(daoManager.getXXSecurityZoneRefTagService()).thenReturn(xSecZoneRefTagServiceDao);
         Mockito.when(xSecZoneRefTagServiceDao.findByTagServiceNameAndZoneId(Mockito.anyString(), Mockito.anyLong())).thenReturn(zoneTagServiceList);
         Mockito.when(svcStore.getServiceByName(Mockito.anyString())).thenReturn(service);
+        Mockito.when(userMgrGrantor.getRolesByLoginId(Mockito.any())).thenReturn(Arrays.asList("ROLE_SYS_ADMIN"));
         serviceREST.importPoliciesFromFile(request, null, zoneInputStream, uploadedInputStream, fileDetail, isOverride, "unzoneToZone");
 
         Mockito.verify(svcStore).createPolicy(rangerPolicy);
@@ -1655,6 +1656,7 @@ public void test50importPoliciesFromFileNotAllowingOverride() throws Exception {
         Mockito.when(xSecZoneRefServiceDao.findByServiceNameAndZoneId(Mockito.anyString(), Mockito.anyLong())).thenReturn(zoneServiceList);
         Mockito.when(daoManager.getXXSecurityZoneRefTagService()).thenReturn(xSecZoneRefTagServiceDao);
         Mockito.when(xSecZoneRefTagServiceDao.findByTagServiceNameAndZoneId(Mockito.anyString(), Mockito.anyLong())).thenReturn(zoneTagServiceList);
+        Mockito.when(userMgrGrantor.getRolesByLoginId(Mockito.any())).thenReturn(Arrays.asList("ROLE_SYS_ADMIN"));
         serviceREST.importPoliciesFromFile(request, null, zoneInputStream, uploadedInputStream, fileDetail, isOverride, "unzoneToUnZone");
         Mockito.verify(svcStore).createPolicy(rangerPolicy);
     }
