You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Bhavik Patel (Jira)" <ji...@apache.org> on 2022/02/15 13:51:00 UTC

[jira] [Commented] (RANGER-3623) Add ability to enable anonymous download of policy/role/tag

    [ https://issues.apache.org/jira/browse/RANGER-3623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17492619#comment-17492619 ] 

Bhavik Patel commented on RANGER-3623:
--------------------------------------

[~kirbyzhou] As you mentioned "ranger plugin embedded in third-party services to complete the task of refreshing policy" ==> You mean to say if we want to update the ranger default policies from third-party services then it create problem?  
 If it's true than that's the correct behaviour, because if allow them then anybody can update policies from there service and get the permissions for the unwanted resource.

> Add ability to enable anonymous download of policy/role/tag
> -----------------------------------------------------------
>
>                 Key: RANGER-3623
>                 URL: https://issues.apache.org/jira/browse/RANGER-3623
>             Project: Ranger
>          Issue Type: Improvement
>          Components: admin
>    Affects Versions: 3.0.0, 2.3.0
>            Reporter: kirby zhou
>            Priority: Major
>         Attachments: add-downloadonly-option.patch
>
>
> Currently, we have an option ranger.admin.allow.unauthenticated.access to allow unauthenticated clients to perform a series of API operations. This option allows the client to perform both dangerous grant/revoke permission operation and relatively safe download operation.
> In many cases, allowing anonymous downloading of policy is not a serious risk problem. On the contrary, the complicated kerberos and SSL settings make it difficult for ranger plugin embedded in third-party services to complete the task of refreshing policy, which may be a bigger problem. In particular, refresh failure often has no obvious features for administrators to discover.
> Therefore, I suggest that ranger increase the ability to allow client to download policy/tag/roles anonymously.
> There are two ways to achieve it.
>  
> 1. Just limit the ability of  "ranger.admin.allow.unauthenticated.access=true"
> which needs to modify "security-admin/src/main/resources/conf.dist/security-applicationContext.xml" to remove dangerous operations from '
> security="none"'.
>  
> 2. Add a candidate value "downloadonly" to "ranger.admin.allow.unauthenticated.access"
> Which needs modify ServiceRest.Java and BizUtil.java to implement the enhanced checking logic. 
>  
> I have a patch for method2



--
This message was sent by Atlassian Jira
(v8.20.1#820001)