This is an automated email from the ASF dual-hosted git repository.
dineshkumar pushed a commit to branch ranger-2.8
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.8 by this push:
new bdc78926d RANGER-5342: USER-role users with names similar to admin or
keyadmin can query those admin/keyadmin users. (#736)
bdc78926d is described below
commit bdc78926dedc56eea30a86adff60ebfaa70f0690
Author: Rakesh Gupta <[email protected]>
AuthorDate: Mon Dec 1 17:05:58 2025 +0530
RANGER-5342: USER-role users with names similar to admin or keyadmin can
query those admin/keyadmin users. (#736)
---
.../java/org/apache/ranger/rest/XUserREST.java | 30 +++++++++++++++++-----
.../java/org/apache/ranger/rest/TestXUserREST.java | 8 +++---
2 files changed, 28 insertions(+), 10 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
index 39b7eb2da..5874bb23f 100755
--- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
@@ -23,6 +23,7 @@
import java.util.Map;
import java.util.List;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import javax.servlet.http.HttpServletRequest;
@@ -437,15 +438,32 @@ else if
((searchCriteria.getParamList().containsKey("name")) && userName!= null
hasRole =
!userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) ?
userRolesList.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) : hasRole;
hasRole =
!userRolesList.contains(RangerConstants.ROLE_USER) ?
userRolesList.add(RangerConstants.ROLE_USER) : hasRole;
} else if
(loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) {
+ if
((CollectionUtils.isNotEmpty(userRolesList) && (userRolesList.size() != 1 ||
!userRolesList.contains(RangerConstants.ROLE_USER)))
+ || (userRole != null &&
!RangerConstants.ROLE_USER.equals(userRole))) {
+ throw
restErrorUtil.create403RESTException("Logged-In user is not allowed to access
requested user data.");
+ }
+
logger.info("Logged-In user having user
role will be able to fetch his own user details.");
- if
(!searchCriteria.getParamList().containsKey("name")) {
- searchCriteria.addParam("name",
loggedInVXUser.getName());
- }else
if(searchCriteria.getParamList().containsKey("name")
- &&
!stringUtil.isEmpty(searchCriteria.getParamValue("name").toString())
- &&
!searchCriteria.getParamValue("name").toString().equalsIgnoreCase(loggedInVXUser.getName())){
+
+ if
(searchCriteria.getParamList().containsKey("name") &&
!stringUtil.isEmpty(searchCriteria.getParamValue("name").toString()) &&
!searchCriteria.getParamValue("name").toString().equalsIgnoreCase(loggedInVXUser.getName()))
{
throw
restErrorUtil.create403RESTException("Logged-In user is not allowed to access
requested user data.");
}
-
+
+
+ if (loggedInVXUser != null &&
!xUserMgr.hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)) {
+ loggedInVXUser =
xUserMgr.getMaskedVXUser(loggedInVXUser);
+ }
+
+ VXUserList vXUserList = new
VXUserList();
+
vXUserList.setVXUsers(Collections.singletonList(loggedInVXUser));
+
vXUserList.setStartIndex(searchCriteria.getStartIndex());
+
vXUserList.setResultSize(vXUserList.getVXUsers().size());
+
vXUserList.setTotalCount(vXUserList.getVXUsers().size());
+
vXUserList.setPageSize(searchCriteria.getMaxRows());
+
vXUserList.setSortBy(searchCriteria.getSortBy());
+
vXUserList.setSortType(searchCriteria.getSortType());
+
+ return vXUserList;
}
}
}
diff --git
a/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java
b/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java
index 4727d0990..cfe4402a3 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestXUserREST.java
@@ -1890,7 +1890,7 @@ public void test112deleteUsersByUserNameNull() {
@SuppressWarnings({ "unchecked", "static-access" })
@Test
public void test113ErrorWhenRoleUserIsTryingToFetchAnotherUserDetails()
{
-
+
destroySession();
String userLoginID = "testuser";
Long userId = 8L;
@@ -1935,7 +1935,7 @@ public void
test113ErrorWhenRoleUserIsTryingToFetchAnotherUserDetails() {
@SuppressWarnings({ "unchecked", "static-access" })
@Test
public void test114RoleUserWillGetOnlyHisOwnUserDetails() {
-
+
destroySession();
String userLoginID = "testuser";
Long userId = 8L;
@@ -1977,8 +1977,8 @@ public void test114RoleUserWillGetOnlyHisOwnUserDetails()
{
Mockito.when(searchUtil.extractInt(request, testSearchCriteria,
"status", "User Status")).thenReturn(1);
Mockito.when(searchUtil.extractStringList(request,
testSearchCriteria, "userRoleList", "User Role List", "userRoleList",
null,null)).thenReturn(new ArrayList<String>());
Mockito.when(searchUtil.extractRoleString(request,
testSearchCriteria, "userRole", "Role", null)).thenReturn("");
+
Mockito.when(xUserMgr.hasAccessToModule(RangerConstants.MODULE_USER_GROUPS)).thenReturn(true);
Mockito.when(xUserService.getXUserByUserName("testuser")).thenReturn(loggedInUser);
-
Mockito.when(xUserMgr.searchXUsers(testSearchCriteria)).thenReturn(expecteUserList);
VXUserList gotVXUserList=xUserRest.searchXUsers(request, null,
null);
assertEquals(gotVXUserList.getList().size(), 1);
@@ -2017,7 +2017,7 @@ public void
test116updateXGroupPermissionWithPermissionIdIsNull() {
assertEquals(retVXGroupPermission.getClass(),
testVXGroupPermission.getClass());
}
-
+
@After
public void destroySession() {
RangerSecurityContext context = new RangerSecurityContext();
