This is an automated email from the ASF dual-hosted git repository.

ramackri pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 5be05d8d9 RANGER-5635: 
ranger.admin.allow.unauthenticated.download.access is honored only when 
Kerberos is enabled (#1011)
5be05d8d9 is described below

commit 5be05d8d9826baddc5eb1875a9c2cc4818499db9
Author: Vyom Mani Tiwari <[email protected]>
AuthorDate: Mon Jun 15 07:54:37 2026 +0530

    RANGER-5635: ranger.admin.allow.unauthenticated.download.access is honored 
only when Kerberos is enabled (#1011)
---
 .../java/org/apache/ranger/biz/RangerBizUtil.java  | 19 ++++------
 .../org/apache/ranger/biz/TestRangerBizUtil.java   | 42 ++++++++++++++++++++++
 .../org/apache/ranger/rest/TestServiceREST.java    | 22 ++++++++++++
 3 files changed, 70 insertions(+), 13 deletions(-)

diff --git 
a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 
b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index 9a930e15e..b54e96bb1 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -23,7 +23,6 @@
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.io.IOCase;
 import org.apache.commons.lang3.StringUtils;
-import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.ranger.authorization.hadoop.config.RangerAdminConfig;
 import org.apache.ranger.common.AppConstants;
 import org.apache.ranger.common.ContextUtil;
@@ -551,22 +550,16 @@ public Long getXUserId() {
     }
 
     public void failUnauthenticatedIfNotAllowed() throws Exception {
-        if (UserGroupInformation.isSecurityEnabled()) {
-            UserSessionBase currentUserSession = 
ContextUtil.getCurrentUserSession();
-
-            if (currentUserSession == null && 
!allowUnauthenticatedAccessInSecureEnvironment) {
-                throw new Exception("Unauthenticated access not allowed");
-            }
+        UserSessionBase currentUserSession = 
ContextUtil.getCurrentUserSession();
+        if (currentUserSession == null && 
!allowUnauthenticatedAccessInSecureEnvironment) {
+            throw new Exception("Unauthenticated access not allowed");
         }
     }
 
     public void failUnauthenticatedDownloadIfNotAllowed() throws Exception {
-        if (UserGroupInformation.isSecurityEnabled()) {
-            UserSessionBase currentUserSession = 
ContextUtil.getCurrentUserSession();
-
-            if (currentUserSession == null && 
!allowUnauthenticatedDownloadAccessInSecureEnvironment) {
-                throw new Exception("Unauthenticated access not allowed");
-            }
+        UserSessionBase currentUserSession = 
ContextUtil.getCurrentUserSession();
+        if (currentUserSession == null && 
!allowUnauthenticatedDownloadAccessInSecureEnvironment) {
+            throw new Exception("Unauthenticated access not allowed");
         }
     }
 
diff --git 
a/security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java 
b/security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java
index 91a8dca27..bc94001ef 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java
@@ -1248,4 +1248,46 @@ public void testMatchHbasePolicy_true() {
         VXResponse vXResponse = new VXResponse();
         Assertions.assertTrue(rangerBizUtil.matchHbasePolicy("t/f/c", resList, 
vXResponse, 115L, permission));
     }
+
+    @Test
+    void testFailUnauthenticatedDownload_blocksWhenNoSessionAndFlagFalse() {
+        RangerContextHolder.setSecurityContext(null);
+        Assertions.assertThrows(Exception.class, () -> 
rangerBizUtil.failUnauthenticatedDownloadIfNotAllowed());
+    }
+
+    @Test
+    void testFailUnauthenticatedDownload_allowsWhenSessionPresent() {
+        Assertions.assertDoesNotThrow(() -> 
rangerBizUtil.failUnauthenticatedDownloadIfNotAllowed());
+    }
+
+    @Test
+    void testFailUnauthenticatedDownload_allowsWhenFlagTrue() throws Exception 
{
+        RangerContextHolder.setSecurityContext(null);
+        setField("allowUnauthenticatedDownloadAccessInSecureEnvironment", 
true);
+        Assertions.assertDoesNotThrow(() -> 
rangerBizUtil.failUnauthenticatedDownloadIfNotAllowed());
+    }
+
+    @Test
+    void testFailUnauthenticated_blocksWhenNoSessionAndFlagFalse() {
+        RangerContextHolder.setSecurityContext(null);
+        Assertions.assertThrows(Exception.class, () -> 
rangerBizUtil.failUnauthenticatedIfNotAllowed());
+    }
+
+    @Test
+    void testFailUnauthenticated_allowsWhenSessionPresent() {
+        Assertions.assertDoesNotThrow(() -> 
rangerBizUtil.failUnauthenticatedIfNotAllowed());
+    }
+
+    @Test
+    void testFailUnauthenticated_allowsWhenFlagTrue() throws Exception {
+        RangerContextHolder.setSecurityContext(null);
+        setField("allowUnauthenticatedAccessInSecureEnvironment", true);
+        Assertions.assertDoesNotThrow(() -> 
rangerBizUtil.failUnauthenticatedIfNotAllowed());
+    }
+
+    private void setField(String name, Object value) throws Exception {
+        Field f = RangerBizUtil.class.getDeclaredField(name);
+        f.setAccessible(true);
+        f.set(rangerBizUtil, value);
+    }
 }
diff --git 
a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index af940149e..3294548d7 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -3840,6 +3840,28 @@ public void 
test154GetPolicyForVersionNumberWithAccessDenied() throws Exception
         Mockito.verify(restErrorUtil).createRESTException(Mockito.anyInt(), 
Mockito.anyString(), Mockito.anyBoolean());
     }
 
+    @Test
+    void test155DownloadBlockedWhenUnauthenticatedAndFlagFalse() throws 
Exception {
+        HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+        RangerContextHolder.setSecurityContext(null);                       // 
no session; flag=false (mock default)
+        
Mockito.doCallRealMethod().when(bizUtil).failUnauthenticatedDownloadIfNotAllowed();
+        Mockito.when(restErrorUtil.createRESTException(Mockito.anyInt(), 
Mockito.anyString(), Mockito.anyBoolean()))
+                .thenReturn(new WebApplicationException());
+        Assertions.assertThrows(WebApplicationException.class, () -> 
serviceREST.getServicePoliciesIfUpdated("HDFS_1",
+                1L, 0L, "1", "", "", false, capabilityVector, request));
+    }
+
+    @Test
+    void test156GrantBlockedWhenUnauthenticatedAndFlagFalse() throws Exception 
{
+        HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+        GrantRevokeRequest grantRequest = createValidGrantRevokeRequest();
+        Mockito.when(serviceUtil.isValidateHttpsAuthentication("HDFS_1", 
request)).thenReturn(true); // enter the guarded block
+        
Mockito.doCallRealMethod().when(bizUtil).failUnauthenticatedIfNotAllowed();
+        RangerContextHolder.setSecurityContext(null);
+        
Mockito.when(restErrorUtil.createRESTException(Mockito.anyString())).thenReturn(new
 WebApplicationException());
+        Assertions.assertThrows(WebApplicationException.class, () -> 
serviceREST.grantAccess("HDFS_1", grantRequest, request));
+    }
+
     RangerPolicy rangerPolicy() {
         List<RangerPolicyItemAccess>    accesses         = new ArrayList<>();
         List<String>                    users            = new ArrayList<>();

Reply via email to