Ramachandran Krishnan created RANGER-5657:
---------------------------------------------
Summary: Limit getAllModuleNames() to sys-admin sessions in
SessionMgr
Key: RANGER-5657
URL: https://issues.apache.org/jira/browse/RANGER-5657
Project: Ranger
Issue Type: Task
Components: Ranger
Affects Versions: 3.0.0
Reporter: Ramachandran Krishnan
Assignee: Ramachandran Krishnan
RANGER-5627 added config-based super users correctly via the {{superUser}} flag
and {{{}isUserAdmin(){}}}. The same change also granted all UI modules to every
DB key-admin by adding {{|| userSession.isKeyAdmin()}} in
{{{}resetUserModulePermission(){}}}.
That is unintended: key-admin should retain DB-scoped module permissions
({{{}findAccessibleModulesByUserId{}}}). Config super-users already receive all
modules through {{isUserAdmin()}} ({{{}superUser || userAdmin{}}}).
Impact without fix: DB key-admin gains Security Zone read access; zone REST
APIs return HTTP 200 instead of 400 for users who should be denied.
Fix: Use {{getAllModuleNames()}} only when {{{}userSession.isUserAdmin(){}}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)