You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Abhilash Perla (Jira)" <ji...@apache.org> on 2022/12/23 02:52:00 UTC

[jira] [Updated] (RANGER-4027) Ranger asset ugsyncAudits rest api is giving access to the unauthorized user

     [ https://issues.apache.org/jira/browse/RANGER-4027?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Abhilash Perla updated RANGER-4027:
-----------------------------------
    Description: 
Test case steps followed: 

When we are calling the api([link|https://ranger.apache.org/apidocs/resource_AssetREST.html#resource_AssetREST_getUgsyncAudits_GET]) with hrt_1 user(doesn't have admin privileges) we are getting response 403.

Command or api request:
{noformat}
curl -iku hrt_1:Password@123 'https://ranger_base_url:6182/service/assets/ugsyncAudits'{noformat}
The output:
{noformat}
HTTP/1.1 403 Forbidden
Set-Cookie: RANGERADMINSESSIONID=2A265BF9974B392294B8B49ED8A2DEBC; Path=/; Secure; HttpOnly
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
X-Permitted-Cross-Domain-Policies: none
X-Content-Type-Options: nosniff
Content-Type: application/json
Transfer-Encoding: chunked
Date: Thu, 22 Dec 2022 11:40:04 GMT
Server: Apache Ranger


User is not having permissions on the Audit module.{noformat}
Then when this Api([link|https://ranger.apache.org/apidocs/resource_AssetREST.html#resource_AssetREST_getUgsyncAuditsBySyncSource_GET]) is being called it is giving access.

The api request:
{noformat}
curl -iku hrt_1:Password@123 'https://ranger_base_url:6182/service/assets/ugsyncAudits/random'{noformat}
The output:
{noformat}
HTTP/1.1 200 OK
Set-Cookie: RANGERADMINSESSIONID=66C3858FAD2599A431476ECFBDBFF0EF; Path=/; Secure; HttpOnly
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
X-Permitted-Cross-Domain-Policies: none
X-Content-Type-Options: nosniff
Content-Type: application/json
Transfer-Encoding: chunked
Date: Thu, 22 Dec 2022 11:43:08 GMT
Server: Apache Ranger


{"startIndex":0,"pageSize":0,"totalCount":0,"resultSize":0,"queryTimeMS":1671709388359,"vxUgsyncAuditInfoList":[]}{noformat}
 

Expected Output:
When the API assets/ugsyncAudits/\{syncSource} is being called by hrt_1 user, his request should be access denied and should return a 403.

Actual Output:
The hrt_1 user is able to access this assets/ugsyncAudits/\{syncSource} api and his request is returning 200.

  was:
Test case steps followed: 

When we are calling the api([link|https://ranger.apache.org/apidocs/resource_AssetREST.html#resource_AssetREST_getUgsyncAudits_GET]) with hrt_1 user(doesn't have admin privileges) we are getting response 403.

Command or api request:
{noformat}
curl -iku hrt_1:Password@123 'https://quasar-aduelu-1.quasar-aduelu.root.hwx.site:6182/service/assets/ugsyncAudits'{noformat}
The output:
{noformat}
HTTP/1.1 403 Forbidden
Set-Cookie: RANGERADMINSESSIONID=2A265BF9974B392294B8B49ED8A2DEBC; Path=/; Secure; HttpOnly
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
X-Permitted-Cross-Domain-Policies: none
X-Content-Type-Options: nosniff
Content-Type: application/json
Transfer-Encoding: chunked
Date: Thu, 22 Dec 2022 11:40:04 GMT
Server: Apache Ranger


User is not having permissions on the Audit module.{noformat}
Then when this Api([link|https://ranger.apache.org/apidocs/resource_AssetREST.html#resource_AssetREST_getUgsyncAuditsBySyncSource_GET]) is being called it is giving access.

The api request:
{noformat}
curl -iku hrt_1:Password@123 'https://quasar-aduelu-1.quasar-aduelu.root.hwx.site:6182/service/assets/ugsyncAudits/random'{noformat}
The output:
{noformat}
HTTP/1.1 200 OK
Set-Cookie: RANGERADMINSESSIONID=66C3858FAD2599A431476ECFBDBFF0EF; Path=/; Secure; HttpOnly
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
X-Permitted-Cross-Domain-Policies: none
X-Content-Type-Options: nosniff
Content-Type: application/json
Transfer-Encoding: chunked
Date: Thu, 22 Dec 2022 11:43:08 GMT
Server: Apache Ranger


{"startIndex":0,"pageSize":0,"totalCount":0,"resultSize":0,"queryTimeMS":1671709388359,"vxUgsyncAuditInfoList":[]}{noformat}
 

Expected Output:
When the API assets/ugsyncAudits/\{syncSource} is being called by hrt_1 user, his request should be access denied and should return a 403.

Actual Output:
The hrt_1 user is able to access this assets/ugsyncAudits/\{syncSource} api and his request is returning 200.


> Ranger asset ugsyncAudits rest api is giving access to the unauthorized user
> ----------------------------------------------------------------------------
>
>                 Key: RANGER-4027
>                 URL: https://issues.apache.org/jira/browse/RANGER-4027
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Abhilash Perla
>            Priority: Major
>
> Test case steps followed: 
> When we are calling the api([link|https://ranger.apache.org/apidocs/resource_AssetREST.html#resource_AssetREST_getUgsyncAudits_GET]) with hrt_1 user(doesn't have admin privileges) we are getting response 403.
> Command or api request:
> {noformat}
> curl -iku hrt_1:Password@123 'https://ranger_base_url:6182/service/assets/ugsyncAudits'{noformat}
> The output:
> {noformat}
> HTTP/1.1 403 Forbidden
> Set-Cookie: RANGERADMINSESSIONID=2A265BF9974B392294B8B49ED8A2DEBC; Path=/; Secure; HttpOnly
> Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> X-Frame-Options: DENY
> X-XSS-Protection: 1; mode=block
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
> X-Permitted-Cross-Domain-Policies: none
> X-Content-Type-Options: nosniff
> Content-Type: application/json
> Transfer-Encoding: chunked
> Date: Thu, 22 Dec 2022 11:40:04 GMT
> Server: Apache Ranger
> User is not having permissions on the Audit module.{noformat}
> Then when this Api([link|https://ranger.apache.org/apidocs/resource_AssetREST.html#resource_AssetREST_getUgsyncAuditsBySyncSource_GET]) is being called it is giving access.
> The api request:
> {noformat}
> curl -iku hrt_1:Password@123 'https://ranger_base_url:6182/service/assets/ugsyncAudits/random'{noformat}
> The output:
> {noformat}
> HTTP/1.1 200 OK
> Set-Cookie: RANGERADMINSESSIONID=66C3858FAD2599A431476ECFBDBFF0EF; Path=/; Secure; HttpOnly
> Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> X-Frame-Options: DENY
> X-XSS-Protection: 1; mode=block
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
> X-Permitted-Cross-Domain-Policies: none
> X-Content-Type-Options: nosniff
> Content-Type: application/json
> Transfer-Encoding: chunked
> Date: Thu, 22 Dec 2022 11:43:08 GMT
> Server: Apache Ranger
> {"startIndex":0,"pageSize":0,"totalCount":0,"resultSize":0,"queryTimeMS":1671709388359,"vxUgsyncAuditInfoList":[]}{noformat}
>  
> Expected Output:
> When the API assets/ugsyncAudits/\{syncSource} is being called by hrt_1 user, his request should be access denied and should return a 403.
> Actual Output:
> The hrt_1 user is able to access this assets/ugsyncAudits/\{syncSource} api and his request is returning 200.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)