Kundan Kumar Jha created RANGER-4059:
----------------------------------------
Summary: Users of type ROLE_USER are able to get all the roles
from /service/public/v2/api/roles endpoint.
Key: RANGER-4059
URL: https://issues.apache.org/jira/browse/RANGER-4059
Project: Ranger
Issue Type: Bug
Components: Ranger
Reporter: Kundan Kumar Jha
Problem Statement:
A user with only ROLE_USER role is able to get all the roles from
/service/public/v2/api/roles API.
Steps to reproduce the bug:
Create a user test_user with 'userRoleList': ["ROLE_USER"]
Then make a get request to /service/public/v2/api/roles endpoint with auth as
test_user credentials.
Its returning the list of all roles.
As the users have only ROLE_USER access they don't have the access to view
roles.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
