You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "kirby zhou (Jira)" <ji...@apache.org> on 2022/02/15 03:44:00 UTC
[jira] [Updated] (RANGER-3623) Add ability to enable anonymous download of policy/role/tag
[ https://issues.apache.org/jira/browse/RANGER-3623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
kirby zhou updated RANGER-3623:
-------------------------------
Attachment: add-downloadonly-option.patch
> Add ability to enable anonymous download of policy/role/tag
> -----------------------------------------------------------
>
> Key: RANGER-3623
> URL: https://issues.apache.org/jira/browse/RANGER-3623
> Project: Ranger
> Issue Type: Improvement
> Components: admin
> Affects Versions: 3.0.0, 2.3.0
> Reporter: kirby zhou
> Priority: Major
> Attachments: add-downloadonly-option.patch
>
>
> Currently, we have an option ranger.admin.allow.unauthenticated.access to allow unauthenticated clients to perform a series of API operations. This option allows the client to perform both dangerous grant/revoke permission operation and relatively safe download operation.
> In many cases, allowing anonymous downloading of policy is not a serious risk problem. On the contrary, the complicated kerberos and SSL settings make it difficult for ranger plugin embedded in third-party services to complete the task of refreshing policy, which may be a bigger problem. In particular, refresh failure often has no obvious features for administrators to discover.
> Therefore, I suggest that ranger increase the ability to allow client to download policy/tag/roles anonymously.
> There are two ways to achieve it.
>
> 1. Just limit the ability of "ranger.admin.allow.unauthenticated.access=true"
> which needs to modify "security-admin/src/main/resources/conf.dist/security-applicationContext.xml" to remove dangerous operations from '
> security="none"'.
>
> 2. Add a candidate value "downloadonly" to "ranger.admin.allow.unauthenticated.access"
> Which needs modify ServiceRest.Java and BizUtil.java to implement the enhanced checking logic.
>
> I have a patch for method2
--
This message was sent by Atlassian Jira
(v8.20.1#820001)