[ranger] branch master updated: RANGER-3623: added configuration to enable anonymous download of policy/role/tag/user

Tue, 05 Jul 2022 20:01:26 -0700 

This is an automated email from the ASF dual-hosted git repository.

madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 29038c4f8 RANGER-3623: added configuration to enable anonymous 
download of policy/role/tag/user
29038c4f8 is described below

commit 29038c4f811125681bdfa3dd347cbcfc44f7bd5e
Author: ZhouTianling <zhoutianl...@sensorsdata.cn>
AuthorDate: Tue Feb 15 11:47:10 2022 +0800

    RANGER-3623: added configuration to enable anonymous download of 
policy/role/tag/user
    
    Signed-off-by: Madhan Neethiraj <mad...@apache.org>
---
 .../java/org/apache/ranger/biz/RangerBizUtil.java   | 14 ++++++++++++++
 .../main/java/org/apache/ranger/rest/RoleREST.java  |  2 +-
 .../java/org/apache/ranger/rest/ServiceREST.java    |  2 +-
 .../main/java/org/apache/ranger/rest/TagREST.java   |  2 +-
 .../main/java/org/apache/ranger/rest/XUserREST.java |  2 +-
 .../conf.dist/ranger-admin-default-site.xml         | 21 +++++++++++++++++++++
 6 files changed, 39 insertions(+), 4 deletions(-)

diff --git 
a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 
b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index 252198ae8..f9294c1e1 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -119,6 +119,7 @@ public class RangerBizUtil {
 
        String auditDBType = AUDIT_STORE_RDBMS;
        private final boolean allowUnauthenticatedAccessInSecureEnvironment;
+       private final boolean 
allowUnauthenticatedDownloadAccessInSecureEnvironment;
 
        static String fileSeparator = 
PropertiesUtil.getProperty("ranger.file.separator", "/");
 
@@ -126,6 +127,8 @@ public class RangerBizUtil {
                RangerAdminConfig config = RangerAdminConfig.getInstance();
 
                allowUnauthenticatedAccessInSecureEnvironment = 
config.getBoolean("ranger.admin.allow.unauthenticated.access", false);
+               allowUnauthenticatedDownloadAccessInSecureEnvironment = 
config.getBoolean("ranger.admin.allow.unauthenticated.download.access",
+                               allowUnauthenticatedAccessInSecureEnvironment);
 
                maxFirstNameLength = 
Integer.parseInt(PropertiesUtil.getProperty("ranger.user.firstname.maxlength", 
"16"));
                maxDisplayNameLength = 
PropertiesUtil.getIntProperty("ranger.bookmark.name.maxlen", 
maxDisplayNameLength);
@@ -468,6 +471,17 @@ public class RangerBizUtil {
                }
        }
 
+       public void failUnauthenticatedDownloadIfNotAllowed() throws Exception {
+               if (UserGroupInformation.isSecurityEnabled()) {
+                       UserSessionBase currentUserSession = 
ContextUtil.getCurrentUserSession();
+                       if (currentUserSession == null) {
+                               if 
(!allowUnauthenticatedDownloadAccessInSecureEnvironment) {
+                                       throw new Exception("Unauthenticated 
access not allowed");
+                               }
+                       }
+               }
+       }
+
        /**
         * returns true if user is having required permission on given Hbase
         * resource
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java 
b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
index d2bc59a02..1e74a5ffd 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
@@ -744,7 +744,7 @@ public class RoleREST {
         String  logMsg            = null;
 
         try {
-            bizUtil.failUnauthenticatedIfNotAllowed();
+            bizUtil.failUnauthenticatedDownloadIfNotAllowed();
             isValid = serviceUtil.isValidService(serviceName, request);
         } catch (WebApplicationException webException) {
             httpCode = webException.getResponse().getStatus();
diff --git 
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 58013415c..b79188733 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -3082,7 +3082,7 @@ public class ServiceREST {
                boolean isValid          = false;
 
                try {
-                       bizUtil.failUnauthenticatedIfNotAllowed();
+                       bizUtil.failUnauthenticatedDownloadIfNotAllowed();
 
                        isValid = 
serviceUtil.isValidateHttpsAuthentication(serviceName, request);
                } catch (WebApplicationException webException) {
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java 
b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
index 01df04e3f..c7cf3bfb8 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
@@ -1194,7 +1194,7 @@ public class TagREST {
                }
 
         try {
-            bizUtil.failUnauthenticatedIfNotAllowed();
+            bizUtil.failUnauthenticatedDownloadIfNotAllowed();
 
             ret = tagStore.getServiceTagsIfUpdated(serviceName, 
lastKnownVersion, !supportsTagDeltas);
 
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 
b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
index efb74ce1c..2b9df4946 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
@@ -1316,7 +1316,7 @@ public class XUserREST {
         Long   downloadedVersion = null;
 
                try {
-            bizUtil.failUnauthenticatedIfNotAllowed();
+            bizUtil.failUnauthenticatedDownloadIfNotAllowed();
 
             isValid = serviceUtil.isValidService(serviceName, request);
         } catch (WebApplicationException webException) {
diff --git 
a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
index 58f434da5..68d8a0303 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
@@ -171,6 +171,27 @@
                <value>5</value>
        </property>
 
+<!-- # anonymous access -->
+       <property>
+               <name>ranger.admin.allow.unauthenticated.access</name>
+               <value>false</value>
+               <description>
+                       Enable unauthenticated access, it can not be used in 
production environment.
+                       See security-applicationContext.xml for more.
+               </description>
+       </property>
+       <property>
+               <name>ranger.admin.allow.unauthenticated.download.access</name>
+               <value>false</value>
+               <description>
+                       Enable unauthenticated download access. It enables 
/service/tags/download, /service/roles/download/ and
+                       /service/plugins/policies/download only.
+                       In the kerberos environment where the security 
requirements are not particularly high, it can be used to
+                       avoid the trouble of download only ranger plugin 
accessing ranger via kerberos to download policies and
+                       roles. In many cases, this kind of downloading behavior 
does not need to be protected.
+               </description>
+       </property>
+
 <!-- #hacks -->
        <property>
                <name>ranger.allow.hack</name>

Reply via email to