{sync_source} API is accessible by user without permission on audit module

Pradeep Agrawal (Jira) Tue, 28 Nov 2023 04:03:05 -0800


    [ 
https://issues.apache.org/jira/browse/RANGER-4546?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17790524#comment-17790524
 ]


Pradeep Agrawal commented on RANGER-4546:
-----------------------------------------

Review request link : https://reviews.apache.org/r/74763/

> /assets/ugsyncAudits/{sync_source} API is accessible by user without 
> permission on audit module
> -----------------------------------------------------------------------------------------------
>
>                 Key: RANGER-4546
>                 URL: https://issues.apache.org/jira/browse/RANGER-4546
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Abhishek
>            Assignee: Pradeep Agrawal
>            Priority: Major
>             Fix For: 3.0.0
>
>         Attachments: 
> 0002-RANGER-4546-assets-ugsyncAudits-sync_source-API-is-a.patch
>
>
> A user without permission on the audits module is able to access the 
> /assets/ugsyncAudits/\{sync_source} API.
> Ideally, the user should not be allowed to access the API, and it should 
> result in a 403 error.
> If the same user tries to access the /assets/ugsyncAudits API, it results in 
> a 403 error (as expected).
> Similarly, the behaviour has to be changed for the 
> /assets/ugsyncAudits/\{sync_source} API



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (RANGER-4546) /assets/ugsyncAudits/{sync_source} API is accessible by user without permission on audit module

Reply via email to