-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73846/
-----------------------------------------------------------
(Updated 六月 22, 2022, 3:54 a.m.)
Review request for ranger, Dhaval Shah, Dineshkumar Yadav, Gautam Borad,
Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Mateen Mansoori, Mehul
Parikh, Pradeep Agrawal, VaradreawiZTV VaradreawiZTV, Vishal Suvagia, and
Velmurugan Periasamy.
Changes
-------
Now can download user.
Summary (updated)
-----------------
RANGER-3623 Add ability to enable anonymous download of policy/role/tag/user
Bugs: RANGER-3623
https://issues.apache.org/jira/browse/RANGER-3623
Repository: ranger
Description
-------
Currently, we have an option ranger.admin.allow.unauthenticated.access to allow
unauthenticated clients to perform a series of API operations. This option
allows the client to perform both dangerous grant/revoke permission operation
and relatively safe download operation.
In many cases, allowing anonymous downloading of policy/tag/role is not a
serious risk problem. On the contrary, the complicated kerberos and SSL
settings make it difficult for ranger plugin embedded in third-party services
to complete the task of refreshing policy, which may be a bigger problem. In
particular, refresh failure often has no obvious features for administrators to
discover.
Therefore, I suggest that ranger increase the ability to allow client to
download policy/tag/roles anonymously.
There are two ways to achieve it.
1. Just limit the ability of "ranger.admin.allow.unauthenticated.access=true"
which needs to modify
"security-admin/src/main/resources/conf.dist/security-applicationContext.xml"
to remove dangerous operations from '
security="none"'.
2. Add a candidate value "downloadonly" to
"ranger.admin.allow.unauthenticated.access"
Which needs modify ServiceRest.Java and BizUtil.java to implement the enhanced
checking logic.
I have a patch for method2.
Diffs (updated)
-----
security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
252198ae8d2d14e25421fd8e9e778bd4c833d85a
security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
e007676430057a7e632e2dc9813232ec7c8eb5a8
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
58013415cd9bd3ea017442becfcc65d4c3b3c1c4
security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
01df04e3ff9eb4edc7d5b80d405bdcf201335205
security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
efb74ce1c088c83926a05b20b2b7946fa14d5f73
security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
58f434da5014e19511d04bb04462ac752394c858
Diff: https://reviews.apache.org/r/73846/diff/3/
Changes: https://reviews.apache.org/r/73846/diff/2-3/
Testing
-------
mvn clean build package
fresh install and upgrade.
File Attachments (updated)
----------------
0001-RANGER-3623-Add-ability-to-enable-anonymous-download.patch
https://reviews.apache.org/media/uploaded/files/2022/06/22/a305e34e-6b5e-4c2d-94af-23354c934960__0001-RANGER-3623-Add-ability-to-enable-anonymous-download.patch
Thanks,
Kirby Zhou
