You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Pradeep Agrawal (Jira)" <ji...@apache.org> on 2021/12/08 00:53:00 UTC
[jira] [Updated] (RANGER-3502) Make GET zone APIs accessible to authorized users only
[ https://issues.apache.org/jira/browse/RANGER-3502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pradeep Agrawal updated RANGER-3502:
------------------------------------
Fix Version/s: 3.0.0
> Make GET zone APIs accessible to authorized users only
> ------------------------------------------------------
>
> Key: RANGER-3502
> URL: https://issues.apache.org/jira/browse/RANGER-3502
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Kishor Gollapalliwar
> Assignee: Kishor Gollapalliwar
> Priority: Major
> Fix For: 3.0.0
>
>
> Currently get [zones|https://ranger.apache.org/apidocs/resource_SecurityZoneREST.html#resource_SecurityZoneREST_getAllZones_GET] API returns all zones even for users who are not authorized to zone modules. Restrict this API to only users who are authorized to zone module.
> Steps to reproduce:
> # Create a internal user name, test_user1
> # Remove the permission on Security Zone module for a user
> # Login as test_user1 user to Ranger Admin, user should not be able to see Security Zone tab
> # Access the API using curl
> {code:java}
> curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
> {code}
> {code:java}
> curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}"
> {code}
> {code:java}
> curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}"
> {code}
>
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)