[RANGER-3502] Make GET zone APIs accessible to authorized users only - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.0.0, 2.3.0
Component/s: Ranger
Labels:
None

Description

Currently get zones API returns all zones even for users who are not authorized to zone modules. Restrict this API to only users who are authorized to zone module.

Steps to reproduce:

Create a internal user name, test_user1
Remove the permission on Security Zone module for a user
Login as test_user1 user to Ranger Admin, user should not be able to see Security Zone tab
Access the API using curl

curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones"

curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/{ID}"

curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H "Content-Type:application/json" "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones/name/{ZONE_NAME}"

Attachments

Activity

People

Assignee:: Kishor Gollapalliwar

Reporter:: Abhishek

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 29/Oct/21 13:40

Updated:: 21/Aug/23 11:41

Resolved:: 08/Dec/21 00:52