ramackri opened a new pull request, #1043:
URL: https://github.com/apache/ranger/pull/1043

   ## Summary
   
   Backport of 
[0274a6a0](https://github.com/apache/ranger/commit/0274a6a0bc9680a7640e97432f8cbd3217a1659c)
 / [#1036](https://github.com/apache/ranger/pull/1036) to `ranger-2.9`.
   
   Follow-up fix for 
[RANGER-5627](https://issues.apache.org/jira/browse/RANGER-5627). RANGER-5627 
changed `SessionMgr.resetUserModulePermission()` to grant all UI modules when 
`isUserAdmin() || isKeyAdmin()`. That incorrectly gives DB key-admin users the 
full module list (including Security Zone) via `getAllModuleNames()`.
   
   **Fix:** use `getAllModuleNames()` only when `userSession.isUserAdmin()`. 
Config super-users are unaffected (they already get full admin through 
`superUser` → `isUserAdmin()`).
   
   Fixes [RANGER-5657](https://issues.apache.org/jira/browse/RANGER-5657).
   
   ## Test plan
   
   - [ ] `mvn test -pl security-admin 
-Dtest=TestSessionMgr,TestRangerSuperUserConfig -Drat.skip=true 
-Dcheckstyle.skip=true -Dpmd.skip=true -Dspotbugs.skip=true`
   - [ ] Manual: DB key-admin should not see Security Zone in profile; zone GET 
returns 400
   - [ ] Manual: sys admin and config super-users unchanged (all modules, zone 
GET 200)
   
   
   Made with [Cursor](https://cursor.com)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to