ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pradeep Agrawal <pradeep.agra...@freestoneinfotech.com>
Subject Review Request 55703: RANGER-1197 : non admin user is able to get plugin status info
Date Thu, 19 Jan 2017 08:24:03 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55703/
-----------------------------------------------------------

Review request for ranger, Ankita Sinha, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul
Parikh, and Velmurugan Periasamy.


Bugs: RANGER-1197
    https://issues.apache.org/jira/browse/RANGER-1197


Repository: ranger


Description
-------

**Problem Statement: ** non admin user is able to download the plugin status info.

**Steps to Reproduce :**
1) Added an user pradeep with User role
2) Made the following rest call to get plugin status :
curl -i -u pradeep:user1234 "http://localhost:6080/service/public/v2/api/plugins/info"

output :

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: RANGERADMINSESSIONID=AC7C627728EBEF5B3251CF13FEE1F8DD; Path=/; HttpOnly
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; Path=/; Domain=ctr-e84-1482462582057-1395-01-000002.hwx.site; Expires=Thu,
01-Jan-1970 00:00:00 GMT; HttpOnly
X-Frame-Options: DENY
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Tue, 27 Dec 2016 12:00:38 GMT


**Proposed solution :**
*Facts :* 1. Currently, Plugin info API is listed in 'Audit' Tab and 'Reports' Tab.
2. By Default all new users are allowed to access 'Resouce based policy' and 'Reports' Tab.

*Observation :* Since API is listed in 'Reports' Tab and user is having access to 'Report'
Tab so user is able to view the plugin details.

*Solution :* We can remove Plugin info REST API association from 'Reports' tab.


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java 3529601


Diff: https://reviews.apache.org/r/55703/diff/


Testing
-------

**Steps Performed(with patch):**
1. Untar ranger-admin from Build having changes of proposed patch.
2. Provided ranger db root and admin db details in install.properties.
3. Executed setup.sh script.
4. Started ranger admin service.
5. Added an user pradeep with User role
6. Made the following rest call to get plugin status :
curl -i -u pradeep:user1234 "http://localhost:6080/service/public/v2/api/plugins/info"

**Expected behaviour :** user pradeep should not able to download the plugin status.

**Actual behaviour :** user pradeep was not able to download the plugin status.
**Actual output : **
HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Set-Cookie: RANGERADMINSESSIONID=1292FC277F38E629E3BC54B283D16FAD; Path=/; HttpOnly
X-Frame-Options: DENY
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 979
Date: Thu, 19 Jan 2017 08:22:14 GMT

<html><head><title>Apache Tomcat/7.0.68 - Error report</title><style><!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color
: black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP
Status 403 - Forbidden</h1><HR size="1" noshade="noshade"><p><b>type</b>
Status report</p><p><b>message</b> <u>Forbidden</u></p><p><b>description</b>
<u>Access to the specified resource has been forbidden.</u></p><HR size="1"
noshade="noshade"><h3>Apache Tomcat/7.0.68</h3></body></html>[root@node-1
ews]#


Thanks,

Pradeep Agrawal


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message