This is an automated email from the ASF dual-hosted git repository. ramackri pushed a commit to branch RANGER-5657-backport-ranger-2.9 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 4983c4e152e42866956cffcddf8f3e47e74f7ab5 Author: ramk <[email protected]> AuthorDate: Sat Jul 4 21:22:21 2026 +0530 RANGER-5657: Limit getAllModuleNames() to sys-admin sessions in SessionMgr Backport of 0274a6a0 (#1036) to ranger-2.9. Key admin sessions should not receive the full module list via getAllModuleNames(); only sys-admin (user admin) sessions should. --- security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java index 1287e8c69..56f405a9d 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java @@ -236,7 +236,7 @@ public void resetUserModulePermission(UserSessionBase userSession) { XXUser xUser = daoManager.getXXUser().findByUserName(userSession.getLoginId()); if (xUser != null) { List<String> permissionList; - if (userSession.isUserAdmin() || userSession.isKeyAdmin()) { + if (userSession.isUserAdmin()) { permissionList = daoManager.getXXModuleDef().getAllModuleNames(); } else { permissionList = daoManager.getXXModuleDef().findAccessibleModulesByUserId(userSession.getUserId(), xUser.getId());
