You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2022/04/25 20:53:12 UTC
[ranger] branch ranger-2.3 updated: RANGER-3619: REST API returns 403 when authed user has no
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.3 by this push:
new 6f42259dd RANGER-3619: REST API returns 403 when authed user has no
6f42259dd is described below
commit 6f42259dde3137a8b68873123971b4f1af26117a
Author: ZhouTianling <zh...@sensorsdata.cn>
AuthorDate: Mon Apr 25 13:50:07 2022 -0700
RANGER-3619: REST API returns 403 when authed user has no
Signed-off-by: Ramesh Mani <rm...@cloudera.com>
---
.../main/java/org/apache/ranger/biz/RangerBizUtil.java | 15 ++++++++++-----
.../src/main/java/org/apache/ranger/biz/XAuditMgr.java | 2 +-
.../src/main/java/org/apache/ranger/biz/XUserMgr.java | 10 +++++-----
.../src/main/java/org/apache/ranger/rest/RoleREST.java | 2 +-
.../src/main/java/org/apache/ranger/rest/ServiceREST.java | 10 +++++-----
.../src/main/java/org/apache/ranger/rest/TagREST.java | 2 +-
.../src/main/java/org/apache/ranger/rest/XUserREST.java | 2 +-
.../security/context/RangerPreAuthSecurityHandler.java | 2 +-
.../ranger/security/web/filter/RangerKrbFilter.java | 4 ++--
9 files changed, 27 insertions(+), 22 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index cf5903d7a..f91232059 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -1456,7 +1456,7 @@ public class RangerBizUtil {
if (session != null) {
if (session.isAuditKeyAdmin() || session.isAuditUserAdmin()) {
VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN);
vXResponse.setMsgDesc("Operation"
+ " denied. LoggedInUser="
+ session.getXXPortalUser().getId()
@@ -1465,7 +1465,7 @@ public class RangerBizUtil {
}
} else {
VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); // user is null
vXResponse.setMsgDesc("Bad Credentials");
throw restErrorUtil.generateRESTException(vXResponse);
}
@@ -1537,8 +1537,13 @@ public class RangerBizUtil {
public boolean checkAdminAccess() {
UserSessionBase currentUserSession = ContextUtil.getCurrentUserSession();
-
- return currentUserSession != null && currentUserSession.isUserAdmin();
+ if (currentUserSession != null) {
+ return currentUserSession.isUserAdmin();
+ } else {
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); // user is null
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
}
-
}
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java
index 935435044..75371f4b2 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java
@@ -110,7 +110,7 @@ public class XAuditMgr extends XAuditMgrBase {
}
} else {
VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); // user is null
vXResponse.setMsgDesc("Bad Credentials");
throw restErrorUtil.generateRESTException(vXResponse);
}
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index 91139d153..4f2527223 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -1334,14 +1334,14 @@ public class XUserMgr extends XUserMgrBase {
if (session != null) {
if (!session.isUserAdmin()) {
VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN);
vXResponse.setMsgDesc("Operation" + " denied. LoggedInUser=" + (session != null ? session.getXXPortalUser().getId() : "Not Logged In")
+ " ,isn't permitted to perform the action.");
throw restErrorUtil.generateRESTException(vXResponse);
}
} else {
VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); // user is null
vXResponse.setMsgDesc("Bad Credentials");
throw restErrorUtil.generateRESTException(vXResponse);
}
@@ -1356,7 +1356,7 @@ public class XUserMgr extends XUserMgrBase {
}
} else {
VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); // user is null
vXResponse.setMsgDesc("Bad Credentials");
throw restErrorUtil.generateRESTException(vXResponse);
}
@@ -1490,7 +1490,7 @@ public class XUserMgr extends XUserMgrBase {
}
} else {
VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); // user is null or role is null
vXResponse.setMsgDesc("Bad Credentials");
throw restErrorUtil.generateRESTException(vXResponse);
}
@@ -2486,7 +2486,7 @@ public class XUserMgr extends XUserMgrBase {
}
} else {
VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED); // user is null
vXResponse.setMsgDesc("Bad Credentials");
throw restErrorUtil.generateRESTException(vXResponse);
}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
index c72e10511..8478104a8 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
@@ -860,7 +860,7 @@ public class RoleREST {
}
} else {
LOG.error("getSecureRangerRolesIfUpdated(" + serviceName + ", " + lastKnownRoleVersion + ") failed as User doesn't have permission to UserGroupRoles");
- httpCode = HttpServletResponse.SC_UNAUTHORIZED;
+ httpCode = HttpServletResponse.SC_FORBIDDEN; // assert user is authenticated.
logMsg = "User doesn't have permission to download UserGroupRoles";
}
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 642a18791..b5c83f58b 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -1231,7 +1231,7 @@ public class ServiceREST {
if (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) {
VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN);
vXResponse.setMsgDesc("Operation denied. LoggedInUser=" + vxUser.getId() + " is not permitted to perform the action.");
throw restErrorUtil.generateRESTException(vXResponse);
}
@@ -1467,7 +1467,7 @@ public class ServiceREST {
if (vxUser.getUserRoleList().contains(RangerConstants.ROLE_ADMIN_AUDITOR) || vxUser.getUserRoleList().contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR)) {
VXResponse vXResponse = new VXResponse();
- vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN);
vXResponse.setMsgDesc("Operation denied. LoggedInUser=" + vxUser.getId() + " is not permitted to perform the action.");
throw restErrorUtil.generateRESTException(vXResponse);
}
@@ -3151,7 +3151,7 @@ public class ServiceREST {
} else {
LOG.error("getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ") failed as User doesn't have permission to download Policy");
- httpCode = HttpServletResponse.SC_UNAUTHORIZED;
+ httpCode = HttpServletResponse.SC_FORBIDDEN; // assert user is authenticated.
logMsg = "User doesn't have permission to download policy";
}
} catch (Throwable excp) {
@@ -3552,7 +3552,7 @@ public class ServiceREST {
if (!isAllowed) {
- throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED,
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN,
"User '" + userName + "' does not have delegated-admin privilege on given resources", true);
}
} else {
@@ -4038,7 +4038,7 @@ public class ServiceREST {
}
if (!isAllowed) {
- throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "User '"
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User '"
+ userName + "' does not have delegated-admin privilege on given resources", true);
}
} else {
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
index 10f91e037..8b0baf904 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
@@ -1222,7 +1222,7 @@ public class TagREST {
}
}else{
LOG.error("getSecureServiceTagsIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + lastActivationTime + ") failed as User doesn't have permission to download tags");
- httpCode = HttpServletResponse.SC_UNAUTHORIZED;
+ httpCode = HttpServletResponse.SC_FORBIDDEN; // assert user is authenticated.
logMsg = "User doesn't have permission to download tags";
}
} catch (WebApplicationException webException) {
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
index 4c9ebb7db..7765e047c 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
@@ -1429,7 +1429,7 @@ public class XUserREST {
}
} else {
logger.error("getSecureRangerUserStoreIfUpdated(" + serviceName + ", " + lastKnownUserStoreVersion + ") failed as User doesn't have permission to download UsersAndGroups");
- httpCode = HttpServletResponse.SC_UNAUTHORIZED;
+ httpCode = HttpServletResponse.SC_FORBIDDEN; // assert user is authenticated.
logMsg = "User doesn't have permission to download UsersAndGroups";
}
}
diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
index 5d7cbdc67..c823fba45 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
@@ -119,7 +119,7 @@ public class RangerPreAuthSecurityHandler {
return true;
}
VXResponse gjResponse = new VXResponse();
- gjResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ gjResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN); // assert user is authenticated.
gjResponse.setMsgDesc("User is not allowed to access the API");
throw restErrorUtil.generateRESTException(gjResponse);
}
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
index 801b0974a..29c1bcdef 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
@@ -620,11 +620,11 @@ public class RangerKrbFilter implements Filter {
sb.append("\"").append(token).append("\"");
}
- if (path != null) {
+ if (StringUtils.isNotEmpty(path)) {
sb.append("; Path=").append(path);
}
- if (domain != null) {
+ if (StringUtils.isNotEmpty(domain)) {
sb.append("; Domain=").append(domain);
}