You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Kirby Zhou <ki...@gmail.com> on 2022/06/11 04:47:40 UTC

Re: Review Request 73846: RANGER-3623 Add ability to enable anonymous download of policy/role/tag

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73846/#review224492
-----------------------------------------------------------



Is there any idea?

- Kirby Zhou


On 二月 15, 2022, 3:58 a.m., Kirby Zhou wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/73846/
> -----------------------------------------------------------
> 
> (Updated 二月 15, 2022, 3:58 a.m.)
> 
> 
> Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul Parikh, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal Suvagia, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-3623
>     https://issues.apache.org/jira/browse/RANGER-3623
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Currently, we have an option ranger.admin.allow.unauthenticated.access to allow unauthenticated clients to perform a series of API operations. This option allows the client to perform both dangerous grant/revoke permission operation and relatively safe download operation.
> 
> In many cases, allowing anonymous downloading of policy/tag/role is not a serious risk problem. On the contrary, the complicated kerberos and SSL settings make it difficult for ranger plugin embedded in third-party services to complete the task of refreshing policy, which may be a bigger problem. In particular, refresh failure often has no obvious features for administrators to discover.
> 
> Therefore, I suggest that ranger increase the ability to allow client to download policy/tag/roles anonymously.
> There are two ways to achieve it.
>  
> 1. Just limit the ability of  "ranger.admin.allow.unauthenticated.access=true"
> which needs to modify "security-admin/src/main/resources/conf.dist/security-applicationContext.xml" to remove dangerous operations from '
> security="none"'.
>  
> 2. Add a candidate value "downloadonly" to "ranger.admin.allow.unauthenticated.access"
> Which needs modify ServiceRest.Java and BizUtil.java to implement the enhanced checking logic. 
>  
> I have a patch for method2.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 1ec1df0a3d09577c52e503532d5aea87ad6cd72d 
>   security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java e3cdef1c2ba6411cf4d4a26cd49e56e9017f3e93 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 098188e3b9f1f837727c7d279a4fab1f0aa84e34 
>   security-admin/src/main/java/org/apache/ranger/rest/TagREST.java 10f91e037180a50287b8d0b0fa0ea3eec0d7f415 
> 
> 
> Diff: https://reviews.apache.org/r/73846/diff/1/
> 
> 
> Testing
> -------
> 
> mvn clean build package
> fresh install and upgrade.
> 
> 
> Thanks,
> 
> Kirby Zhou
> 
>