-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55703/
-----------------------------------------------------------
Review request for ranger, Ankita Sinha, Gautam Borad, Abhay Kulkarni, Madhan
Neethiraj, Mehul Parikh, and Velmurugan Periasamy.
Bugs: RANGER-1197
https://issues.apache.org/jira/browse/RANGER-1197
Repository: ranger
Description
-------
**Problem Statement: ** non admin user is able to download the plugin status
info.
**Steps to Reproduce :**
1) Added an user pradeep with User role
2) Made the following rest call to get plugin status :
curl -i -u pradeep:user1234
"http://localhost:6080/service/public/v2/api/plugins/info";
output :
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: RANGERADMINSESSIONID=AC7C627728EBEF5B3251CF13FEE1F8DD; Path=/;
HttpOnly
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; Path=/;
Domain=ctr-e84-1482462582057-1395-01-000002.hwx.site; Expires=Thu, 01-Jan-1970
00:00:00 GMT; HttpOnly
X-Frame-Options: DENY
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Tue, 27 Dec 2016 12:00:38 GMT
**Proposed solution :**
*Facts :* 1. Currently, Plugin info API is listed in 'Audit' Tab and 'Reports'
Tab.
2. By Default all new users are allowed to access 'Resouce based policy' and
'Reports' Tab.
*Observation :* Since API is listed in 'Reports' Tab and user is having access
to 'Report' Tab so user is able to view the plugin details.
*Solution :* We can remove Plugin info REST API association from 'Reports' tab.
Diffs
-----
security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java
3529601
Diff: https://reviews.apache.org/r/55703/diff/
Testing
-------
**Steps Performed(with patch):**
1. Untar ranger-admin from Build having changes of proposed patch.
2. Provided ranger db root and admin db details in install.properties.
3. Executed setup.sh script.
4. Started ranger admin service.
5. Added an user pradeep with User role
6. Made the following rest call to get plugin status :
curl -i -u pradeep:user1234
"http://localhost:6080/service/public/v2/api/plugins/info";
**Expected behaviour :** user pradeep should not able to download the plugin
status.
**Actual behaviour :** user pradeep was not able to download the plugin status.
**Actual output : **
HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Set-Cookie: RANGERADMINSESSIONID=1292FC277F38E629E3BC54B283D16FAD; Path=/;
HttpOnly
X-Frame-Options: DENY
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 979
Date: Thu, 19 Jan 2017 08:22:14 GMT
<html><head><title>Apache Tomcat/7.0.68 - Error report</title><style><!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
{color : black;}A.name {color : black;}HR {color : #525D76;}--></style>
</head><body><h1>HTTP Status 403 - Forbidden</h1><HR size="1"
noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b>
<u>Forbidden</u></p><p><b>description</b> <u>Access to the specified resource
has been forbidden.</u></p><HR size="1" noshade="noshade"><h3>Apache
Tomcat/7.0.68</h3></body></html>[root@node-1 ews]#
Thanks,
Pradeep Agrawal
