Dineshkumar Yadav created RANGER-5342:
-----------------------------------------
Summary: USER-role users with names similar to admin or keyadmin
can query those admin/keyadmin users.
Key: RANGER-5342
URL: https://issues.apache.org/jira/browse/RANGER-5342
Project: Ranger
Issue Type: Bug
Components: Ranger
Reporter: Dineshkumar Yadav
h3. Reproduction
h4. Precondition
# Create users in ranger admin with name hrt_123, and hrt_16 with roles
“admin” and “keyadmin” respectively. (for example through
group.based.role.assignment.rules)
# Create a user with name hrt_1 that has only “user” role.
h4. Test steps
# As user hrt_1, execute the followings:
{{curl --insecure -k -v -u 'hrt_1:Password@123' -H 'Accept: application/json,
text/plain, */*'
'https://\{hostname}:6182/service/xusers/users?pageSize=10000&userRole=ROLE_SYS_ADMIN'}}
{{curl --insecure -k -v -u 'hrt_1:Password@123' -H 'Accept: application/json,
text/plain, */*'
'https:\{hostname}:6182/service/xusers/users?pageSize=10000&userRole=ROLE_KEY_ADMIN'}}
h4. Expected behavior
hrt_1 should not be able to view admin and keyadmin users with similar name.
h4. Actual behavior
hrt_1 gets back for the above queries the details of hrt_123, and hrt_16.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
