This is an automated email from the ASF dual-hosted git repository.

pradeepagrawal8184 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new c804fc351 RANGER-5619: Keyadmin user unable to perform test connection 
for cm_kms service (#1024)
c804fc351 is described below

commit c804fc3518fd70e594e05d674f847847860bc53a
Author: Vyom Mani Tiwari <[email protected]>
AuthorDate: Wed Jun 17 20:22:55 2026 +0530

    RANGER-5619: Keyadmin user unable to perform test connection for cm_kms 
service (#1024)
---
 .../java/org/apache/ranger/rest/ServiceREST.java   | 12 +++++--
 .../org/apache/ranger/rest/TestServiceREST.java    | 38 ++++++++++++++++++++++
 2 files changed, 47 insertions(+), 3 deletions(-)

diff --git 
a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java 
b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 2cd449cba..ea76f5415 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -196,7 +196,7 @@ public class ServiceREST {
     public static final String PURGE_RECORD_TYPE_LOGIN_LOGS         = 
"login_records";
     public static final String PURGE_RECORD_TYPE_TRX_LOGS           = 
"trx_records";
     public static final String PURGE_RECORD_TYPE_POLICY_EXPORT_LOGS = 
"policy_export_logs";
-    public static final String ERR_VALIDATE_CONFIG_ADMIN_ONLY       = "Only 
system administrators can validate service configs";
+    public static final String ERR_VALIDATE_CONFIG_ADMIN_ONLY       = "Only 
system administrators or key administrators can validate service configs";
 
     private final RangerAdminConfig config                              = 
RangerAdminConfig.getInstance();
     private final int               maxPolicyNameLength                 = 
config.getInt("ranger.policyname.maxlength", 255);
@@ -1080,8 +1080,14 @@ public VXResponse validateConfig(RangerService service) {
         RangerPerfTracer perf = null;
 
         if (!bizUtil.isAdmin()) {
-            LOG.warn("Unauthorized validateConfig attempt by user: {}", 
bizUtil.getCurrentUserLoginId());
-            throw 
restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, 
ERR_VALIDATE_CONFIG_ADMIN_ONLY, true);
+            if (!bizUtil.isKeyAdmin()) {
+                LOG.warn("Unauthorized validateConfig attempt by user: {}", 
bizUtil.getCurrentUserLoginId());
+                throw 
restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, 
ERR_VALIDATE_CONFIG_ADMIN_ONLY, true);
+            }
+            XXServiceDef serviceDef = 
daoManager.getXXServiceDef().findByName(service.getType());
+            if (serviceDef == null || 
!EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(serviceDef.getImplclassname()))
 {
+                throw 
restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, 
ERR_VALIDATE_CONFIG_ADMIN_ONLY, true);
+            }
         }
         try {
             if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
diff --git 
a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index 0fc53d00d..125940347 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -1133,6 +1133,44 @@ public void 
test35ValidateConfig_NonAdminUser_ThrowsForbidden() throws Exception
         Mockito.verify(serviceMgr, 
Mockito.never()).validateConfig(Mockito.any(), Mockito.any());
     }
 
+    @Test
+    public void test35eValidateConfig_KeyAdminUser_KmsService_Succeeds() 
throws Exception {
+        RangerService rangerService = rangerService();
+        rangerService.setType("cm_kms");
+        Mockito.when(bizUtil.isAdmin()).thenReturn(false);
+        Mockito.when(bizUtil.isKeyAdmin()).thenReturn(true);
+        XXServiceDef xServiceDef = serviceDef();
+        XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
+        
xServiceDef.setImplclassname(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME);
+        Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
+        
Mockito.when(xServiceDefDao.findByName("cm_kms")).thenReturn(xServiceDef);
+        Mockito.when(serviceMgr.validateConfig(rangerService, 
svcStore)).thenReturn(vXResponse);
+        VXResponse result = serviceREST.validateConfig(rangerService);
+        Assertions.assertNotNull(result);
+        Mockito.verify(bizUtil).isAdmin();
+        Mockito.verify(bizUtil).isKeyAdmin();
+        Mockito.verify(serviceMgr).validateConfig(rangerService, svcStore);
+    }
+
+    @Test
+    public void 
test35fValidateConfig_KeyAdminUser_NonKmsService_ThrowsForbidden() throws 
Exception {
+        RangerService rangerService = rangerService();
+        rangerService.setType("hdfs");
+        Mockito.when(bizUtil.isAdmin()).thenReturn(false);
+        Mockito.when(bizUtil.isKeyAdmin()).thenReturn(true);
+        XXServiceDef xServiceDef = serviceDef();
+        XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
+        
xServiceDef.setImplclassname("org.apache.ranger.services.hdfs.RangerServiceHdfs");
+        Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
+        
Mockito.when(xServiceDefDao.findByName("hdfs")).thenReturn(xServiceDef);
+        
Mockito.when(restErrorUtil.createRESTException(Mockito.eq(HttpServletResponse.SC_FORBIDDEN),
 Mockito.anyString(), Mockito.eq(true)))
+                .thenReturn(new 
WebApplicationException(HttpServletResponse.SC_FORBIDDEN));
+        Assertions.assertThrows(WebApplicationException.class, () -> 
serviceREST.validateConfig(rangerService));
+        Mockito.verify(bizUtil).isAdmin();
+        Mockito.verify(bizUtil).isKeyAdmin();
+        Mockito.verify(serviceMgr, 
Mockito.never()).validateConfig(Mockito.any(), Mockito.any());
+    }
+
     @Test
     public void test40applyPolicy() {
         RangerPolicy existingPolicy = rangerPolicy();

Reply via email to