[jira] [Created] (RANGER-3623) Add ability to enable anonymous download of policy/role/tag

["kirby zhou (Jira)" <ji...@apache.org>]

kirby zhou created RANGER-3623:
----------------------------------

             Summary: Add ability to enable anonymous download of policy/role/tag
                 Key: RANGER-3623
                 URL: https://issues.apache.org/jira/browse/RANGER-3623
             Project: Ranger
          Issue Type: Improvement
          Components: admin
    Affects Versions: 3.0.0, 2.3.0
            Reporter: kirby zhou
         Attachments: add-downloadonly-option.patch

Currently, we have an option ranger.admin.allow.unauthenticated.access to allow unauthenticated clients to perform a series of API operations. This option allows the client to perform both dangerous grant/revoke permission operation and relatively safe download operation.

In many cases, allowing anonymous downloading of policy is not a serious risk problem. On the contrary, the complicated kerberos and SSL settings make it difficult for ranger plugin embedded in third-party services to complete the task of refreshing policy, which may be a bigger problem. In particular, refresh failure often has no obvious features for administrators to discover.

Therefore, I suggest that ranger increase the ability to allow client to download policy/tag/roles anonymously.

There are two ways to achieve it.

 

1. Just limit the ability of  "ranger.admin.allow.unauthenticated.access=true"

which needs to modify "security-admin/src/main/resources/conf.dist/security-applicationContext.xml" to remove dangerous operations from '

security="none"'.

 

2. Add a candidate value "downloadonly" to "ranger.admin.allow.unauthenticated.access"

Which needs modify ServiceRest.Java and BizUtil.java to implement the enhanced checking logic. 

 

I have a patch for method2



--
This message was sent by Atlassian Jira
(v8.20.1#820001)