[
https://issues.apache.org/jira/browse/RANGER-5657?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18093648#comment-18093648
]
Ramachandran Krishnan commented on RANGER-5657:
-----------------------------------------------
Merged into ranger-2.9 branch commit
details:https://github.com/apache/ranger/commit/e62a798b1fd2e75be954f3de7eff86e487d0cfad
> Limit getAllModuleNames() to sys-admin sessions in SessionMgr
> -------------------------------------------------------------
>
> Key: RANGER-5657
> URL: https://issues.apache.org/jira/browse/RANGER-5657
> Project: Ranger
> Issue Type: Task
> Components: Ranger
> Affects Versions: 3.0.0
> Reporter: Ramachandran Krishnan
> Assignee: Ramachandran Krishnan
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> RANGER-5627 added config-based super users correctly via the {{superUser}}
> flag and {{{}isUserAdmin(){}}}. The same change also granted all UI modules
> to every DB key-admin by adding {{|| userSession.isKeyAdmin()}} in
> {{{}resetUserModulePermission(){}}}.
> That is unintended: key-admin should retain DB-scoped module permissions
> ({{{}findAccessibleModulesByUserId{}}}). Config super-users already receive
> all modules through {{isUserAdmin()}} ({{{}superUser || userAdmin{}}}).
> Impact without fix: DB key-admin gains Security Zone read access; zone REST
> APIs return HTTP 200 instead of 400 for users who should be denied.
> Fix: Use {{getAllModuleNames()}} only when {{{}userSession.isUserAdmin(){}}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)