You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Kishor Gollapalliwar (Jira)" <ji...@apache.org> on 2021/10/29 13:41:00 UTC

[jira] [Created] (RANGER-3502) Make get zones API accessible to authorized users

Kishor Gollapalliwar created RANGER-3502:
--------------------------------------------

             Summary: Make get zones API accessible to authorized users
                 Key: RANGER-3502
                 URL: https://issues.apache.org/jira/browse/RANGER-3502
             Project: Ranger
          Issue Type: Bug
          Components: Ranger
            Reporter: Kishor Gollapalliwar
            Assignee: Kishor Gollapalliwar


Currently get [zones|https://ranger.apache.org/apidocs/resource_SecurityZoneREST.html#resource_SecurityZoneREST_getAllZones_GET] API returns all zones even for users who are not authorized to zone modules. Restrict this API to only users who are authorized to zone module.

Steps to reproduce:
 # Create a internal user name, test_user1
 # Remove the permission on Security Zone module for a user
 # Login as test_user1 user to Ranger Admin, user should not be able to see Security Zone tab
 # Access the API using curl

{code:java}
curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
{code}
 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)