[ 
https://issues.apache.org/jira/browse/RANGER-5657?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ramachandran Krishnan resolved RANGER-5657.
-------------------------------------------
    Fix Version/s: 3.0.0
       Resolution: Fixed

> Limit getAllModuleNames() to sys-admin sessions in SessionMgr
> -------------------------------------------------------------
>
>                 Key: RANGER-5657
>                 URL: https://issues.apache.org/jira/browse/RANGER-5657
>             Project: Ranger
>          Issue Type: Task
>          Components: Ranger
>    Affects Versions: 3.0.0
>            Reporter: Ramachandran Krishnan
>            Assignee: Ramachandran Krishnan
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> RANGER-5627 added config-based super users correctly via the {{superUser}} 
> flag and {{{}isUserAdmin(){}}}. The same change also granted all UI modules 
> to every DB key-admin by adding {{|| userSession.isKeyAdmin()}} in 
> {{{}resetUserModulePermission(){}}}.
> That is unintended: key-admin should retain DB-scoped module permissions 
> ({{{}findAccessibleModulesByUserId{}}}). Config super-users already receive 
> all modules through {{isUserAdmin()}} ({{{}superUser || userAdmin{}}}).
> Impact without fix: DB key-admin gains Security Zone read access; zone REST 
> APIs return HTTP 200 instead of 400 for users who should be denied.
> Fix: Use {{getAllModuleNames()}} only when {{{}userSession.isUserAdmin(){}}}.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to