This is an automated email from the ASF dual-hosted git repository.

pradeepagrawal8184 pushed a commit to branch ranger-2.9
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-2.9 by this push:
     new 5b2138452 RANGER-5635: 
ranger.admin.allow.unauthenticated.download.access is honored only when 
Kerberos is enabled (#1048)
5b2138452 is described below

commit 5b2138452027ccdeb560800268a13d67f72e6d16
Author: Vyom Mani Tiwari <[email protected]>
AuthorDate: Tue Jul 7 11:49:39 2026 +0530

    RANGER-5635: ranger.admin.allow.unauthenticated.download.access is honored 
only when Kerberos is enabled (#1048)
---
 .../java/org/apache/ranger/biz/RangerBizUtil.java  |  5 --
 .../org/apache/ranger/biz/TestRangerBizUtil.java   | 58 ++++++++++++++++++++++
 .../org/apache/ranger/rest/TestServiceREST.java    | 21 ++++++++
 3 files changed, 79 insertions(+), 5 deletions(-)

diff --git 
a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 
b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index c5142ae50..0c97ac5df 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -35,7 +35,6 @@
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.io.IOCase;
 import org.apache.commons.lang3.StringUtils;
-import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.ranger.authorization.hadoop.config.RangerAdminConfig;
 import org.apache.ranger.common.AppConstants;
 import org.apache.ranger.common.ContextUtil;
@@ -467,21 +466,17 @@ private boolean matchHdfsPolicy(String resourceName,
        }
 
        public void failUnauthenticatedIfNotAllowed() throws Exception {
-               if (UserGroupInformation.isSecurityEnabled()) {
                        UserSessionBase currentUserSession = 
ContextUtil.getCurrentUserSession();
                        if (currentUserSession == null && 
!allowUnauthenticatedAccessInSecureEnvironment) {
                                        throw new Exception("Unauthenticated 
access not allowed");
                        }
-               }
        }
 
        public void failUnauthenticatedDownloadIfNotAllowed() throws Exception {
-               if (UserGroupInformation.isSecurityEnabled()) {
                        UserSessionBase currentUserSession = 
ContextUtil.getCurrentUserSession();
                        if (currentUserSession == null && 
!allowUnauthenticatedDownloadAccessInSecureEnvironment) {
                                        throw new Exception("Unauthenticated 
access not allowed");
                        }
-               }
        }
 
        /**
diff --git 
a/security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java 
b/security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java
index ee26e9faa..566bc3219 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestRangerBizUtil.java
@@ -16,6 +16,7 @@
  */
 package org.apache.ranger.biz;
 
+import java.lang.reflect.Field;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -701,4 +702,61 @@ public void 
testCheckUserAccessible_ConfigSuperUserCanManageSysAdminUser() {
                 Assert.assertTrue(rangerBizUtil.checkUserAccessible(vXUser));
         }
 
+       @Test
+       public void 
testFailUnauthenticatedDownload_blocksWhenNoSessionAndFlagFalse() {
+               RangerContextHolder.setSecurityContext(null);
+               Assert.assertThrows(Exception.class, () -> 
rangerBizUtil.failUnauthenticatedDownloadIfNotAllowed());
+       }
+
+       @Test
+       public void testFailUnauthenticatedDownload_allowsWhenSessionPresent() {
+               try {
+                       rangerBizUtil.failUnauthenticatedDownloadIfNotAllowed();
+               } catch (Exception e) {
+                       Assert.fail("Expected no exception, but got: " + 
e.getMessage());
+               }
+       }
+
+       @Test
+       public void testFailUnauthenticatedDownload_allowsWhenFlagTrue() throws 
Exception {
+               RangerContextHolder.setSecurityContext(null);
+               
setField("allowUnauthenticatedDownloadAccessInSecureEnvironment", true);
+               try {
+                       rangerBizUtil.failUnauthenticatedDownloadIfNotAllowed();
+               } catch (Exception e) {
+                       Assert.fail("Expected no exception, but got: " + 
e.getMessage());
+               }
+       }
+
+       @Test
+       public void testFailUnauthenticated_blocksWhenNoSessionAndFlagFalse() {
+               RangerContextHolder.setSecurityContext(null);
+               Assert.assertThrows(Exception.class, () -> 
rangerBizUtil.failUnauthenticatedIfNotAllowed());
+       }
+
+       @Test
+       public void testFailUnauthenticated_allowsWhenSessionPresent() {
+               try {
+                       rangerBizUtil.failUnauthenticatedIfNotAllowed();
+               } catch (Exception e) {
+                       Assert.fail("Expected no exception, but got: " + 
e.getMessage());
+               }
+       }
+
+       @Test
+       public void testFailUnauthenticated_allowsWhenFlagTrue() throws 
Exception {
+               RangerContextHolder.setSecurityContext(null);
+               setField("allowUnauthenticatedAccessInSecureEnvironment", true);
+               try {
+                       rangerBizUtil.failUnauthenticatedIfNotAllowed();
+               } catch (Exception e) {
+                       Assert.fail("Expected no exception, but got: " + 
e.getMessage());
+               }
+       }
+
+       private void setField(String name, Object value) throws Exception {
+               Field f = RangerBizUtil.class.getDeclaredField(name);
+               f.setAccessible(true);
+               f.set(rangerBizUtil, value);
+       }
 }
\ No newline at end of file
diff --git 
a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 
b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index 5e892acca..112839f77 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -2803,4 +2803,25 @@ public void 
test81GetPolicyByNameAndServiceNameWithZoneNameIsNull() throws Excep
                Assert.assertEquals(dbRangerPolicy.getId(), 
rangerPolicy.getId());
                Assert.assertEquals(dbRangerPolicy.getName(), 
rangerPolicy.getName());
        }
+       @Test
+       public void test155DownloadBlockedWhenUnauthenticatedAndFlagFalse() 
throws Exception {
+               HttpServletRequest request = 
Mockito.mock(HttpServletRequest.class);
+               RangerContextHolder.setSecurityContext(null);                   
    // no session; flag=false (mock default)
+               
Mockito.doCallRealMethod().when(bizUtil).failUnauthenticatedDownloadIfNotAllowed();
+               
Mockito.when(restErrorUtil.createRESTException(Mockito.anyInt(), 
Mockito.anyString(), Mockito.anyBoolean()))
+                               .thenReturn(new WebApplicationException());
+               Assert.assertThrows(WebApplicationException.class, () -> 
serviceREST.getServicePoliciesIfUpdated("HDFS_1",
+                               1L, 0L, "1", "", "", false, capabilityVector, 
request));
+       }
+
+       @Test
+       public void test156GrantBlockedWhenUnauthenticatedAndFlagFalse() throws 
Exception {
+               HttpServletRequest request = 
Mockito.mock(HttpServletRequest.class);
+               GrantRevokeRequest grantRequest = 
createValidGrantRevokeRequest();
+               
Mockito.when(serviceUtil.isValidateHttpsAuthentication("HDFS_1", 
request)).thenReturn(true); // enter the guarded block
+               
Mockito.doCallRealMethod().when(bizUtil).failUnauthenticatedIfNotAllowed();
+               RangerContextHolder.setSecurityContext(null);
+               
Mockito.when(restErrorUtil.createRESTException(Mockito.anyString())).thenReturn(new
 WebApplicationException());
+               Assert.assertThrows(WebApplicationException.class, () -> 
serviceREST.grantAccess("HDFS_1", grantRequest, request));
+       }
 }

Reply via email to