[
https://issues.apache.org/jira/browse/RANGER-4027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17678041#comment-17678041
]
Abhishek Kumar edited comment on RANGER-4027 at 1/18/23 1:16 AM:
-----------------------------------------------------------------
/ugsyncAudits/\{syncSource}
API endpoint is deprecated and can be removed. The sync source can be used as a
search criterion in the API endpoint /ugsyncAudits to achieve the same.
was (Author: abhi_2110):
/ugsyncAudits/\\{syncSource} API endpoint is deprecated and can be removed. The
sync source can be used as a search criterion in the API endpoint /ugsyncAudits
to achieve the same.
> Ranger asset ugsyncAudits rest api is giving access to the unauthorized user
> ----------------------------------------------------------------------------
>
> Key: RANGER-4027
> URL: https://issues.apache.org/jira/browse/RANGER-4027
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Abhilash Perla
> Priority: Major
>
> Test case steps followed:
> When we are calling the
> api([link|https://ranger.apache.org/apidocs/resource_AssetREST.html#resource_AssetREST_getUgsyncAudits_GET])
> with hrt_1 user(doesn't have admin privileges) we are getting response 403.
> Command or api request:
> {noformat}
> curl -iku hrt_1:Password@123
> 'https://ranger_base_url:6182/service/assets/ugsyncAudits'{noformat}
> The output:
> {noformat}
> HTTP/1.1 403 Forbidden
> Set-Cookie: RANGERADMINSESSIONID=2A265BF9974B392294B8B49ED8A2DEBC; Path=/;
> Secure; HttpOnly
> Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> X-Frame-Options: DENY
> X-XSS-Protection: 1; mode=block
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> Content-Security-Policy: default-src 'none'; script-src 'self'
> 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src
> 'self' 'unsafe-inline';font-src 'self'
> X-Permitted-Cross-Domain-Policies: none
> X-Content-Type-Options: nosniff
> Content-Type: application/json
> Transfer-Encoding: chunked
> Date: Thu, 22 Dec 2022 11:40:04 GMT
> Server: Apache Ranger
> User is not having permissions on the Audit module.{noformat}
> Then when this
> Api([link|https://ranger.apache.org/apidocs/resource_AssetREST.html#resource_AssetREST_getUgsyncAuditsBySyncSource_GET])
> is being called it is giving access.
> The api request:
> {noformat}
> curl -iku hrt_1:Password@123
> 'https://ranger_base_url:6182/service/assets/ugsyncAudits/random'{noformat}
> The output:
> {noformat}
> HTTP/1.1 200 OK
> Set-Cookie: RANGERADMINSESSIONID=66C3858FAD2599A431476ECFBDBFF0EF; Path=/;
> Secure; HttpOnly
> Cache-Control: no-cache, no-store, max-age=0, must-revalidate
> X-Frame-Options: DENY
> X-XSS-Protection: 1; mode=block
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> Content-Security-Policy: default-src 'none'; script-src 'self'
> 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src
> 'self' 'unsafe-inline';font-src 'self'
> X-Permitted-Cross-Domain-Policies: none
> X-Content-Type-Options: nosniff
> Content-Type: application/json
> Transfer-Encoding: chunked
> Date: Thu, 22 Dec 2022 11:43:08 GMT
> Server: Apache Ranger
> {"startIndex":0,"pageSize":0,"totalCount":0,"resultSize":0,"queryTimeMS":1671709388359,"vxUgsyncAuditInfoList":[]}{noformat}
>
> Expected Output:
> When the API assets/ugsyncAudits/\{syncSource} is being called by hrt_1 user,
> his request should be access denied and should return a 403.
> Actual Output:
> The hrt_1 user is able to access this assets/ugsyncAudits/\{syncSource} api
> and his request is returning 200.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
