This is an automated email from the ASF dual-hosted git repository.
ramackri pushed a commit to branch ranger-2.9
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.9 by this push:
new e62a798b1 RANGER-5657: Limit getAllModuleNames() to sys-admin sessions
in SessionMgr (#1043)
e62a798b1 is described below
commit e62a798b1fd2e75be954f3de7eff86e487d0cfad
Author: Ramachandran Krishnan <[email protected]>
AuthorDate: Sat Jul 4 21:23:08 2026 +0530
RANGER-5657: Limit getAllModuleNames() to sys-admin sessions in SessionMgr
(#1043)
Backport of 0274a6a0 (#1036) to ranger-2.9.
Key admin sessions should not receive the full module list via
getAllModuleNames();
only sys-admin (user admin) sessions should.
Co-authored-by: ramk <[email protected]>
---
security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
index 1287e8c69..56f405a9d 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
@@ -236,7 +236,7 @@ public void resetUserModulePermission(UserSessionBase
userSession) {
XXUser xUser =
daoManager.getXXUser().findByUserName(userSession.getLoginId());
if (xUser != null) {
List<String> permissionList;
- if (userSession.isUserAdmin() ||
userSession.isKeyAdmin()) {
+ if (userSession.isUserAdmin()) {
permissionList =
daoManager.getXXModuleDef().getAllModuleNames();
} else {
permissionList =
daoManager.getXXModuleDef().findAccessibleModulesByUserId(userSession.getUserId(),
xUser.getId());