[
https://issues.apache.org/jira/browse/RANGER-3502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kishor Gollapalliwar updated RANGER-3502:
-----------------------------------------
Description:
Currently get
[zones|https://ranger.apache.org/apidocs/resource_SecurityZoneREST.html#resource_SecurityZoneREST_getAllZones_GET]
API returns all zones even for users who are not authorized to zone modules.
Restrict this API to only users who are authorized to zone module.
Steps to reproduce:
# Create a internal user name, test_user1
# Remove the permission on Security Zone module for a user
# Login as test_user1 user to Ranger Admin, user should not be able to see
Security Zone tab
# Access the API using curl
{code:java}
curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H
"Content-Type:application/json"
"https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
{code}
{code:java}
curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H
"Content-Type:application/json"
"https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}"
{code}
{code:java}
curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H
"Content-Type:application/json"
"https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}"
{code}
was:
Currently get
[zones|https://ranger.apache.org/apidocs/resource_SecurityZoneREST.html#resource_SecurityZoneREST_getAllZones_GET]
API returns all zones even for users who are not authorized to zone modules.
Restrict this API to only users who are authorized to zone module.
Steps to reproduce:
# Create a internal user name, test_user1
# Remove the permission on Security Zone module for a user
# Login as test_user1 user to Ranger Admin, user should not be able to see
Security Zone tab
# Access the API using curl
{code:java}
curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H
"Content-Type:application/json"
"https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
{code}
> Make GET zone APIs accessible to authorized users only
> ------------------------------------------------------
>
> Key: RANGER-3502
> URL: https://issues.apache.org/jira/browse/RANGER-3502
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Kishor Gollapalliwar
> Assignee: Kishor Gollapalliwar
> Priority: Major
>
> Currently get
> [zones|https://ranger.apache.org/apidocs/resource_SecurityZoneREST.html#resource_SecurityZoneREST_getAllZones_GET]
> API returns all zones even for users who are not authorized to zone modules.
> Restrict this API to only users who are authorized to zone module.
> Steps to reproduce:
> # Create a internal user name, test_user1
> # Remove the permission on Security Zone module for a user
> # Login as test_user1 user to Ranger Admin, user should not be able to see
> Security Zone tab
> # Access the API using curl
> {code:java}
> curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H
> "Content-Type:application/json"
> "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"
> {code}
> {code:java}
> curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H
> "Content-Type:application/json"
> "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}"
> {code}
> {code:java}
> curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H
> "Content-Type:application/json"
> "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}"
> {code}
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
