Ramachandran Krishnan created RANGER-5657:
---------------------------------------------

             Summary: Limit getAllModuleNames() to sys-admin sessions in 
SessionMgr
                 Key: RANGER-5657
                 URL: https://issues.apache.org/jira/browse/RANGER-5657
             Project: Ranger
          Issue Type: Task
          Components: Ranger
    Affects Versions: 3.0.0
            Reporter: Ramachandran Krishnan
            Assignee: Ramachandran Krishnan


RANGER-5627 added config-based super users correctly via the {{superUser}} flag 
and {{{}isUserAdmin(){}}}. The same change also granted all UI modules to every 
DB key-admin by adding {{|| userSession.isKeyAdmin()}} in 
{{{}resetUserModulePermission(){}}}.

That is unintended: key-admin should retain DB-scoped module permissions 
({{{}findAccessibleModulesByUserId{}}}). Config super-users already receive all 
modules through {{isUserAdmin()}} ({{{}superUser || userAdmin{}}}).

Impact without fix: DB key-admin gains Security Zone read access; zone REST 
APIs return HTTP 200 instead of 400 for users who should be denied.

Fix: Use {{getAllModuleNames()}} only when {{{}userSession.isUserAdmin(){}}}.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to