> On 六月 13, 2022, 2:45 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java > > Lines 130 (patched) > > <https://reviews.apache.org/r/73846/diff/2/?file=2268244#file2268244line130> > > > > Default value in #130 should be > > allowUnauthenticatedAccessInSecureEnvironment, so that downloads will > > continue to be allowed in existing deployments where > > ranger.admin.allow.unauthenticated.access is set to true.
OK > On 六月 13, 2022, 2:45 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java > > Lines 477 (patched) > > <https://reviews.apache.org/r/73846/diff/2/?file=2268244#file2268244line477> > > > > With changes suggested in #130 above, #477 can be simplified as: > > if (!allowUnauthenticatedDownloadAccessInSecureEnvironment) { OK > On 六月 13, 2022, 2:45 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml > > Lines 188 (patched) > > <https://reviews.apache.org/r/73846/diff/2/?file=2268248#file2268248line188> > > > > This should be extended to /service/xusers/download/ as well - > > XUserREST.getRangerUserStoreIfUpdated(). It seems easy, but I am not sure, will XUserREST.getRangerUserStoreIfUpdated return some information related to password or privacy? - Kirby ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73846/#review224495 ----------------------------------------------------------- On 六月 13, 2022, 9:17 a.m., Kirby Zhou wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73846/ > ----------------------------------------------------------- > > (Updated 六月 13, 2022, 9:17 a.m.) > > > Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, > Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul > Parikh, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal Suvagia, and > Velmurugan Periasamy. > > > Bugs: RANGER-3623 > https://issues.apache.org/jira/browse/RANGER-3623 > > > Repository: ranger > > > Description > ------- > > Currently, we have an option ranger.admin.allow.unauthenticated.access to > allow unauthenticated clients to perform a series of API operations. This > option allows the client to perform both dangerous grant/revoke permission > operation and relatively safe download operation. > > In many cases, allowing anonymous downloading of policy/tag/role is not a > serious risk problem. On the contrary, the complicated kerberos and SSL > settings make it difficult for ranger plugin embedded in third-party services > to complete the task of refreshing policy, which may be a bigger problem. In > particular, refresh failure often has no obvious features for administrators > to discover. > > Therefore, I suggest that ranger increase the ability to allow client to > download policy/tag/roles anonymously. > There are two ways to achieve it. > > 1. Just limit the ability of "ranger.admin.allow.unauthenticated.access=true" > which needs to modify > "security-admin/src/main/resources/conf.dist/security-applicationContext.xml" > to remove dangerous operations from ' > security="none"'. > > 2. Add a candidate value "downloadonly" to > "ranger.admin.allow.unauthenticated.access" > Which needs modify ServiceRest.Java and BizUtil.java to implement the > enhanced checking logic. > > I have a patch for method2. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java > 252198ae8d2d14e25421fd8e9e778bd4c833d85a > security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java > e007676430057a7e632e2dc9813232ec7c8eb5a8 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 58013415cd9bd3ea017442becfcc65d4c3b3c1c4 > security-admin/src/main/java/org/apache/ranger/rest/TagREST.java > 01df04e3ff9eb4edc7d5b80d405bdcf201335205 > security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml > 58f434da5014e19511d04bb04462ac752394c858 > > > Diff: https://reviews.apache.org/r/73846/diff/2/ > > > Testing > ------- > > mvn clean build package > fresh install and upgrade. > > > Thanks, > > Kirby Zhou > >
