vyommani opened a new pull request, #1067:
URL: https://github.com/apache/ranger/pull/1067

   GdsREST.getSecureServiceGdsInfoIfUpdated() 
(/service/gds/secure/download/{serviceName}) used a weaker validation path than 
the equivalent secure download endpoints for policies, roles, tags, and 
user-store data.
   
   ## What changes were proposed in this pull request?
   
   Replace serviceUtil.isValidateHttpsAuthentication(...) with 
serviceUtil.isValidService(...)
   Add admin/allow-list authorization check (bizUtil.isAdmin(), 
bizUtil.isUserAllowed(..., Allowed_User_List_For_Download / 
Allowed_User_List_For_Grant_Revoke)), matching 
ServiceREST.getSecureServicePoliciesIfUpdated()
   Return 403 when the caller isn't admin or allow-listed for the service
   
   ## How was this patch tested?
   
   Updated TestGdsREST with coverage for admin, allow-listed non-admin, and 
forbidden non-admin paths
   Verified live: low-privileged authenticated user now gets 403 (was 200); 
admin and allow-listed users still get 200; sibling policy-download endpoint 
behavior unaffected (control)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to