This is an automated email from the ASF dual-hosted git repository.
ramackri pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 5be05d8d9 RANGER-5635:
ranger.admin.allow.unauthenticated.download.access is honored only when
Kerberos is enabled (#1011)
5be05d8d9 is described below
commit 5be05d8d9826baddc5eb1875a9c2cc4818499db9
Author: Vyom Mani Tiwari <[email protected]>
AuthorDate: Mon Jun 15 07:54:37 2026 +0530
RANGER-5635: ranger.admin.allow.unauthenticated.download.access is honored
only when Kerberos is enabled (#1011)
---
.../java/org/apache/ranger/biz/RangerBizUtil.java | 19 ++++------
.../org/apache/ranger/biz/TestRangerBizUtil.java | 42 ++++++++++++++++++++++
.../org/apache/ranger/rest/TestServiceREST.java | 22 ++++++++++++
3 files changed, 70 insertions(+), 13 deletions(-)
diff --git
a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index 9a930e15e..b54e96bb1 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -23,7 +23,6 @@
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.io.IOCase;
import org.apache.commons.lang3.StringUtils;
-import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.authorization.hadoop.config.RangerAdminConfig;
import org.apache.ranger.common.AppConstants;
import org.apache.ranger.common.ContextUtil;
@@ -551,22 +550,16 @@ public Long getXUserId() {
}
public void failUnauthenticatedIfNotAllowed() throws Exception {
- if (UserGroupInformation.isSecurityEnabled()) {
- UserSessionBase currentUserSession =
ContextUtil.getCurrentUserSession();
-
- if (currentUserSession == null &&
!allowUnauthenticatedAccessInSecureEnvironment) {
- throw new Exception("Unauthenticated access not allowed");
- }
+ UserSessionBase currentUserSession =
ContextUtil.getCurrentUserSession();
+ if (currentUserSession == null &&
!allowUnauthenticatedAccessInSecureEnvironment) {
+ throw new Exception("Unauthenticated access not allowed");
}
}
public void failUnauthenticatedDownloadIfNotAllowed() throws Exception {
- if (UserGroupInformation.isSecurityEnabled()) {
- UserSessionBase currentUserSession =
ContextUtil.getCurrentUserSession();
-
- if (currentUserSession == null &&
!allowUnauthenticatedDownloadAccessInSecureEnvironment) {
- throw new Exception("Unauthenticated access not allowed");
- }
+ UserSessionBase currentUserSession =
ContextUtil.getCurrentUserSession();
+ if (currentUserSession == null &&
!allowUnauthenticatedDownloadAccessInSecureEnvironment) {
+ throw new Exception("Unauthenticated access not allowed");
}
}
diff --git
a/security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java
b/security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java
index 91a8dca27..bc94001ef 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java
@@ -1248,4 +1248,46 @@ public void testMatchHbasePolicy_true() {
VXResponse vXResponse = new VXResponse();
Assertions.assertTrue(rangerBizUtil.matchHbasePolicy("t/f/c", resList,
vXResponse, 115L, permission));
}
+
+ @Test
+ void testFailUnauthenticatedDownload_blocksWhenNoSessionAndFlagFalse() {
+ RangerContextHolder.setSecurityContext(null);
+ Assertions.assertThrows(Exception.class, () ->
rangerBizUtil.failUnauthenticatedDownloadIfNotAllowed());
+ }
+
+ @Test
+ void testFailUnauthenticatedDownload_allowsWhenSessionPresent() {
+ Assertions.assertDoesNotThrow(() ->
rangerBizUtil.failUnauthenticatedDownloadIfNotAllowed());
+ }
+
+ @Test
+ void testFailUnauthenticatedDownload_allowsWhenFlagTrue() throws Exception
{
+ RangerContextHolder.setSecurityContext(null);
+ setField("allowUnauthenticatedDownloadAccessInSecureEnvironment",
true);
+ Assertions.assertDoesNotThrow(() ->
rangerBizUtil.failUnauthenticatedDownloadIfNotAllowed());
+ }
+
+ @Test
+ void testFailUnauthenticated_blocksWhenNoSessionAndFlagFalse() {
+ RangerContextHolder.setSecurityContext(null);
+ Assertions.assertThrows(Exception.class, () ->
rangerBizUtil.failUnauthenticatedIfNotAllowed());
+ }
+
+ @Test
+ void testFailUnauthenticated_allowsWhenSessionPresent() {
+ Assertions.assertDoesNotThrow(() ->
rangerBizUtil.failUnauthenticatedIfNotAllowed());
+ }
+
+ @Test
+ void testFailUnauthenticated_allowsWhenFlagTrue() throws Exception {
+ RangerContextHolder.setSecurityContext(null);
+ setField("allowUnauthenticatedAccessInSecureEnvironment", true);
+ Assertions.assertDoesNotThrow(() ->
rangerBizUtil.failUnauthenticatedIfNotAllowed());
+ }
+
+ private void setField(String name, Object value) throws Exception {
+ Field f = RangerBizUtil.class.getDeclaredField(name);
+ f.setAccessible(true);
+ f.set(rangerBizUtil, value);
+ }
}
diff --git
a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index af940149e..3294548d7 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -3840,6 +3840,28 @@ public void
test154GetPolicyForVersionNumberWithAccessDenied() throws Exception
Mockito.verify(restErrorUtil).createRESTException(Mockito.anyInt(),
Mockito.anyString(), Mockito.anyBoolean());
}
+ @Test
+ void test155DownloadBlockedWhenUnauthenticatedAndFlagFalse() throws
Exception {
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ RangerContextHolder.setSecurityContext(null); //
no session; flag=false (mock default)
+
Mockito.doCallRealMethod().when(bizUtil).failUnauthenticatedDownloadIfNotAllowed();
+ Mockito.when(restErrorUtil.createRESTException(Mockito.anyInt(),
Mockito.anyString(), Mockito.anyBoolean()))
+ .thenReturn(new WebApplicationException());
+ Assertions.assertThrows(WebApplicationException.class, () ->
serviceREST.getServicePoliciesIfUpdated("HDFS_1",
+ 1L, 0L, "1", "", "", false, capabilityVector, request));
+ }
+
+ @Test
+ void test156GrantBlockedWhenUnauthenticatedAndFlagFalse() throws Exception
{
+ HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+ GrantRevokeRequest grantRequest = createValidGrantRevokeRequest();
+ Mockito.when(serviceUtil.isValidateHttpsAuthentication("HDFS_1",
request)).thenReturn(true); // enter the guarded block
+
Mockito.doCallRealMethod().when(bizUtil).failUnauthenticatedIfNotAllowed();
+ RangerContextHolder.setSecurityContext(null);
+
Mockito.when(restErrorUtil.createRESTException(Mockito.anyString())).thenReturn(new
WebApplicationException());
+ Assertions.assertThrows(WebApplicationException.class, () ->
serviceREST.grantAccess("HDFS_1", grantRequest, request));
+ }
+
RangerPolicy rangerPolicy() {
List<RangerPolicyItemAccess> accesses = new ArrayList<>();
List<String> users = new ArrayList<>();