[
https://issues.apache.org/jira/browse/RANGER-5342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rakesh Gupta updated RANGER-5342:
---------------------------------
Fix Version/s: 3.0.0
> USER-role users with names similar to admin or keyadmin can query those
> admin/keyadmin users.
> ---------------------------------------------------------------------------------------------
>
> Key: RANGER-5342
> URL: https://issues.apache.org/jira/browse/RANGER-5342
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Dineshkumar Yadav
> Assignee: Rakesh Gupta
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> h3. Reproduction
> h4. Precondition
> # Create users in ranger admin with name hrt_123, and hrt_16 with roles
> “admin” and “keyadmin” respectively. (for example through
> group.based.role.assignment.rules)
> # Create a user with name hrt_1 that has only “user” role.
> h4. Test steps
> # As user hrt_1, execute the followings:
>
> {{curl --insecure -k -v -u 'hrt_1:Password@123' -H 'Accept:
> application/json, text/plain, */*'
> 'https://\{hostname}:6182/service/xusers/users?pageSize=10000&userRole=ROLE_SYS_ADMIN'}}
>
> {{curl --insecure -k -v -u 'hrt_1:Password@123' -H 'Accept:
> application/json, text/plain, */*'
> 'https:\{hostname}:6182/service/xusers/users?pageSize=10000&userRole=ROLE_KEY_ADMIN'}}
> h4. Expected behavior
> hrt_1 should not be able to view admin and keyadmin users with similar name.
> h4. Actual behavior
> hrt_1 gets back for the above queries the details of hrt_123, and hrt_16.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
