[jira] [Commented] (RANGER-3623) Add ability to enable anonymous download of policy/role/tag

Tue, 15 Feb 2022 16:22:20 -0800 


    [ 
https://issues.apache.org/jira/browse/RANGER-3623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17492928#comment-17492928
 ] 

kirby zhou commented on RANGER-3623:
------------------------------------

No,  I want to pull policies from ranger in third-party services without any 
authentication.

At present, if I enable anonymous/unauthenticated pulling/downloading, the 
unauthenticated policy modification will also be enabled. 

The ability I want to add is to allow anonymous downloads independently.

 

> Add ability to enable anonymous download of policy/role/tag
> -----------------------------------------------------------
>
>                 Key: RANGER-3623
>                 URL: https://issues.apache.org/jira/browse/RANGER-3623
>             Project: Ranger
>          Issue Type: Improvement
>          Components: admin
>    Affects Versions: 3.0.0, 2.3.0
>            Reporter: kirby zhou
>            Priority: Major
>         Attachments: add-downloadonly-option.patch
>
>
> Currently, we have an option ranger.admin.allow.unauthenticated.access to 
> allow unauthenticated clients to perform a series of API operations. This 
> option allows the client to perform both dangerous grant/revoke permission 
> operation and relatively safe download operation.
> In many cases, allowing anonymous downloading of policy is not a serious risk 
> problem. On the contrary, the complicated kerberos and SSL settings make it 
> difficult for ranger plugin embedded in third-party services to complete the 
> task of refreshing policy, which may be a bigger problem. In particular, 
> refresh failure often has no obvious features for administrators to discover.
> Therefore, I suggest that ranger increase the ability to allow client to 
> download policy/tag/roles anonymously.
> There are two ways to achieve it.
>  
> 1. Just limit the ability of  "ranger.admin.allow.unauthenticated.access=true"
> which needs to modify 
> "security-admin/src/main/resources/conf.dist/security-applicationContext.xml" 
> to remove dangerous operations from '
> security="none"'.
>  
> 2. Add a candidate value "downloadonly" to 
> "ranger.admin.allow.unauthenticated.access"
> Which needs modify ServiceRest.Java and BizUtil.java to implement the 
> enhanced checking logic. 
>  
> I have a patch for method2



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to