This is an automated email from the ASF dual-hosted git repository.

ramackri pushed a commit to branch ranger-2.9
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.9 by this push:
     new e62a798b1 RANGER-5657: Limit getAllModuleNames() to sys-admin sessions 
in SessionMgr (#1043)
e62a798b1 is described below

commit e62a798b1fd2e75be954f3de7eff86e487d0cfad
Author: Ramachandran Krishnan <[email protected]>
AuthorDate: Sat Jul 4 21:23:08 2026 +0530

    RANGER-5657: Limit getAllModuleNames() to sys-admin sessions in SessionMgr 
(#1043)
    
    Backport of 0274a6a0 (#1036) to ranger-2.9.
    
    Key admin sessions should not receive the full module list via 
getAllModuleNames();
    only sys-admin (user admin) sessions should.
    
    Co-authored-by: ramk <[email protected]>
---
 security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java 
b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
index 1287e8c69..56f405a9d 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
@@ -236,7 +236,7 @@ public void resetUserModulePermission(UserSessionBase 
userSession) {
                XXUser xUser = 
daoManager.getXXUser().findByUserName(userSession.getLoginId());
                if (xUser != null) {
                        List<String> permissionList;
-                       if (userSession.isUserAdmin() || 
userSession.isKeyAdmin()) {
+                       if (userSession.isUserAdmin()) {
                                permissionList = 
daoManager.getXXModuleDef().getAllModuleNames();
                        } else {
                                permissionList = 
daoManager.getXXModuleDef().findAccessibleModulesByUserId(userSession.getUserId(),
 xUser.getId());

Reply via email to