You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Abhay Kulkarni <ak...@hortonworks.com> on 2019/10/20 03:30:37 UTC

Re: Review Request 71636: RANGER-2626: Block unauthenticated access to Ranger REST endpoints in kerberized environment

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71636/
-----------------------------------------------------------

(Updated Oct. 20, 2019, 3:30 a.m.)


Review request for ranger, Madhan Neethiraj and Ramesh Mani.


Changes
-------

RANGER-2626: Block unauthenticated access to Ranger REST endpoints in kerberized environment


Summary (updated)
-----------------

RANGER-2626: Block unauthenticated access to Ranger REST endpoints in kerberized environment


Bugs: RANGER-2626
    https://issues.apache.org/jira/browse/RANGER-2626


Repository: ranger


Description (updated)
-------

Some of the Ranger REST endpoints (such as those for downloads of policies/tags/roles) are accessed for all users. However, in secure environment, unauthenticated access to them should not be allowed.


Diffs (updated)
-----

  security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 58cf790b1 
  security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java fa3a31804 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 852c2c8dc 
  security-admin/src/main/java/org/apache/ranger/rest/TagREST.java 8b582081a 


Diff: https://reviews.apache.org/r/71636/diff/3/

Changes: https://reviews.apache.org/r/71636/diff/2-3/


Testing (updated)
-------

Tested with kerberized cluster with curl script to invoke policy download without acquiring kerberos identity. Ensured that policy download failed.


Thanks,

Abhay Kulkarni

Re: Review Request 71636: RANGER-2626: Block unauthenticated access to Ranger REST endpoints in kerberized environment

Posted by Ramesh Mani <rm...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71636/#review218296
-----------------------------------------------------------


Ship it!




Ship It!

- Ramesh Mani


On Oct. 20, 2019, 2:04 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71636/
> -----------------------------------------------------------
> 
> (Updated Oct. 20, 2019, 2:04 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj and Ramesh Mani.
> 
> 
> Bugs: RANGER-2626
>     https://issues.apache.org/jira/browse/RANGER-2626
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Some of the Ranger REST endpoints (such as those for downloads of policies/tags/roles) are accessed for all users. However, in secure environment, unauthenticated access to them should not be allowed.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 58cf790b1 
>   security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java fa3a31804 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 852c2c8dc 
>   security-admin/src/main/java/org/apache/ranger/rest/TagREST.java 8b582081a 
> 
> 
> Diff: https://reviews.apache.org/r/71636/diff/4/
> 
> 
> Testing
> -------
> 
> Tested with kerberized cluster with curl script to invoke policy download without acquiring kerberos identity. Ensured that policy download failed.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 71636: RANGER-2626: Block unauthenticated access to Ranger REST endpoints in kerberized environment

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71636/#review218298
-----------------------------------------------------------


Ship it!




Ship It!

- Madhan Neethiraj


On Oct. 20, 2019, 2:04 p.m., Abhay Kulkarni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71636/
> -----------------------------------------------------------
> 
> (Updated Oct. 20, 2019, 2:04 p.m.)
> 
> 
> Review request for ranger, Madhan Neethiraj and Ramesh Mani.
> 
> 
> Bugs: RANGER-2626
>     https://issues.apache.org/jira/browse/RANGER-2626
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Some of the Ranger REST endpoints (such as those for downloads of policies/tags/roles) are accessed for all users. However, in secure environment, unauthenticated access to them should not be allowed.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 58cf790b1 
>   security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java fa3a31804 
>   security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 852c2c8dc 
>   security-admin/src/main/java/org/apache/ranger/rest/TagREST.java 8b582081a 
> 
> 
> Diff: https://reviews.apache.org/r/71636/diff/4/
> 
> 
> Testing
> -------
> 
> Tested with kerberized cluster with curl script to invoke policy download without acquiring kerberos identity. Ensured that policy download failed.
> 
> 
> Thanks,
> 
> Abhay Kulkarni
> 
>

Re: Review Request 71636: RANGER-2626: Block unauthenticated access to Ranger REST endpoints in kerberized environment

Posted by Abhay Kulkarni <ak...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71636/
-----------------------------------------------------------

(Updated Oct. 20, 2019, 2:04 p.m.)


Review request for ranger, Madhan Neethiraj and Ramesh Mani.


Changes
-------

Passes all unit tests


Bugs: RANGER-2626
    https://issues.apache.org/jira/browse/RANGER-2626


Repository: ranger


Description
-------

Some of the Ranger REST endpoints (such as those for downloads of policies/tags/roles) are accessed for all users. However, in secure environment, unauthenticated access to them should not be allowed.


Diffs (updated)
-----

  security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 58cf790b1 
  security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java fa3a31804 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 852c2c8dc 
  security-admin/src/main/java/org/apache/ranger/rest/TagREST.java 8b582081a 


Diff: https://reviews.apache.org/r/71636/diff/4/

Changes: https://reviews.apache.org/r/71636/diff/3-4/


Testing
-------

Tested with kerberized cluster with curl script to invoke policy download without acquiring kerberos identity. Ensured that policy download failed.


Thanks,

Abhay Kulkarni