[jira] [Updated] (RANGER-3616) Security Risk. ugsync API can create a hidden user.

Thu, 10 Feb 2022 18:29:06 -0800 


     [ 
https://issues.apache.org/jira/browse/RANGER-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

kirby zhou updated RANGER-3616:
-------------------------------
    Description: 
We can use  REST API /service/xusers/ugsync/users to create a User without 

userRoleList. And the user is hidden in Ranger Admin User List.

 

#] curl -u: --negotiate --header 'Content-Type: application/json' --data 
'{"vXUsers" :[

{"name":"hehe", "description" : "hehe", "syncSorce": "Unix"}

], "totalCount" : 1}' 
'[http://kirbytest01.sa:6080/service/xusers/ugsync/users'] 

1

The user "hehe" is created, but can not be seen at WebUI 

!截屏2022-02-11 上午10.23.40.jpg!

But it be used at policies, it should be a security risk.

!截屏2022-02-11 上午10.24.27.jpg!

 

 

  was:
We can use  REST API /service/xusers/ugsync/users to create a User without 

userRoleList. And the user is hidden in Ranger Admin User List.

 

#] curl -u: --negotiate --header 'Content-Type: application/json' --data 
'\{"vXUsers" :[{"name":"hehe", "description" : "hehe", "syncSorce": "Unix"}], 
"totalCount" : 1}' '[http://kirbytest01.sa:6080/service/xusers/ugsync/users'] 

1

The user "hehe" is created, but can not be seen at WebUI 

But it be used at policies, it should be a security risk.

 

 


> Security Risk. ugsync API can create a hidden user.
> ---------------------------------------------------
>
>                 Key: RANGER-3616
>                 URL: https://issues.apache.org/jira/browse/RANGER-3616
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger, usersync
>    Affects Versions: 3.0.0, 2.2.0
>            Reporter: kirby zhou
>            Priority: Major
>         Attachments: 截屏2022-02-11 上午10.23.40.jpg, 截屏2022-02-11 上午10.24.27.jpg
>
>
> We can use  REST API /service/xusers/ugsync/users to create a User without 
> userRoleList. And the user is hidden in Ranger Admin User List.
>  
> #] curl -u: --negotiate --header 'Content-Type: application/json' --data 
> '{"vXUsers" :[
> {"name":"hehe", "description" : "hehe", "syncSorce": "Unix"}
> ], "totalCount" : 1}' 
> '[http://kirbytest01.sa:6080/service/xusers/ugsync/users'] 
> 1
> The user "hehe" is created, but can not be seen at WebUI 
> !截屏2022-02-11 上午10.23.40.jpg!
> But it be used at policies, it should be a security risk.
> !截屏2022-02-11 上午10.24.27.jpg!
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to