This is an automated email from the ASF dual-hosted git repository.

ramackri pushed a commit to branch RANGER-5657-backport-ranger-2.9
in repository https://gitbox.apache.org/repos/asf/ranger.git

commit 4983c4e152e42866956cffcddf8f3e47e74f7ab5
Author: ramk <[email protected]>
AuthorDate: Sat Jul 4 21:22:21 2026 +0530

    RANGER-5657: Limit getAllModuleNames() to sys-admin sessions in SessionMgr
    
    Backport of 0274a6a0 (#1036) to ranger-2.9.
    
    Key admin sessions should not receive the full module list via 
getAllModuleNames();
    only sys-admin (user admin) sessions should.
---
 security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java 
b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
index 1287e8c69..56f405a9d 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
@@ -236,7 +236,7 @@ public void resetUserModulePermission(UserSessionBase 
userSession) {
                XXUser xUser = 
daoManager.getXXUser().findByUserName(userSession.getLoginId());
                if (xUser != null) {
                        List<String> permissionList;
-                       if (userSession.isUserAdmin() || 
userSession.isKeyAdmin()) {
+                       if (userSession.isUserAdmin()) {
                                permissionList = 
daoManager.getXXModuleDef().getAllModuleNames();
                        } else {
                                permissionList = 
daoManager.getXXModuleDef().findAccessibleModulesByUserId(userSession.getUserId(),
 xUser.getId());

Reply via email to