[
https://issues.apache.org/jira/browse/RANGER-2130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16515419#comment-16515419
]
Don Bosco Durai commented on RANGER-2130:
-----------------------------------------
[~toopt4] , I am not sure whether this is a valid issue. What you are seeing
are the roles supported by Ranger. There is no harm in knowing all the roles
supported by Ranger. Especially, Ranger is an open source project and the
source code is available to everyone.
I would have been more concerned if by changing the UI fields values a regular
user is able to impersonate as an Admin user and able to make server-side
changes. But based on your comment, the server gives an appropriate error when
you do it.
Let me know if you still feel this is an issue.
Thanks
> Ranger Admin - client-side control bypass
> -----------------------------------------
>
> Key: RANGER-2130
> URL: https://issues.apache.org/jira/browse/RANGER-2130
> Project: Ranger
> Issue Type: Bug
> Components: admin
> Affects Versions: 1.0.0
> Reporter: t oo
> Assignee: Nitin Galave
> Priority: Major
> Attachments: 0001-RANGER-2130.patch, Screen Shot 2018-06-11 at
> 10.36.39 am.png, client_side_controls1.PNG, client_side_controls2.PNG
>
>
> *Risk/Issue summary finding*
> {code:java}
> Client-side Control Bypass (Ranger){code}
> *Risk/Issue summary description/detail*
> {code:java}
> The Apache Ranger application relies on client-side controls to restrict user
> access to certain information and functionality. A user can bypass these
> controls (by modifying client-side parameters or directly browsing to
> specific API requests or resources) to view information without the required
> authorisation.
> The attached screenshots show the "admin" user bypassing client-side controls
> to modify their Role from "User" to "Admin". Whilst submitting this request
> is unsuccessful and will not permanently change the user role, the GUI allows
> access to sections that were previously hidden.{code}
> *Business impact / attack scenario*
> {code:java}
> Low privilege users with restricted access are able to view information that
> is not intended for their viewing. As an example, the admin user can bypass
> client side controls to view configuration details for the HIVE_RANGER_E2E
> hive object. {code}
> *Recommendation*
> {code:java}
> Do not rely on client-side controls to restrict user access. Ensure that
> server-side controls are in place to restrict unauthorised access to
> sensitive information and APIs. {code}
>
> In the rangeradmin ui, on the users page, after clicking on a user. If you
> edit the html on the site (ie in Chrome) you can remove the 'disabled' tag so
> that the role of User becomes ungreyed out and you can change the role from
> User to Admin!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
