[
https://issues.apache.org/jira/browse/RANGER-5624?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Krishna Chaitanya Muttevi updated RANGER-5624:
----------------------------------------------
Description:
There is an inconsistency in the masking behavior of the {{updatedBy}} field in
the {{VXGroup}} response across group retrieval APIs. When a group is fetched
using {{{}/xusers/groups/\{id}{{}}}}, the {{updatedBy}} field is masked as
expected. However, when the same group is retrieved using
{{{}/xusers/groups/groupName/\{group_name}{{}}}}, the {{updatedBy}} field is
returned with its actual value instead of being masked.
For example, calling {{GET /service/xusers/groups/groupName/public}} returns
{{{}"updatedBy": "Admin"{}}}, whereas {{{}GET /service/xusers/groups/{id{}}}}
returns a masked value (e.g., {{{}"******"{}}}). This results in inconsistent
API behavior and leads to unintended exposure of user-related metadata through
one endpoint while it remains masked in another.
In below image the underlined red lines would show the true issue and mismatch
in masking field of vXGroup.
!image-2026-06-01-14-52-31-185.png!
was:
There is an inconsistency in the masking behavior of the {{updatedBy}} field in
the {{VXGroup}} response across group retrieval APIs. When a group is fetched
using {{{}/xusers/groups/\{id}{{}}}}, the {{updatedBy}} field is masked as
expected. However, when the same group is retrieved using
{{{}/xusers/groups/groupName/\{group_name}{{}}}}, the {{updatedBy}} field is
returned with its actual value instead of being masked.
For example, calling {{GET /service/xusers/groups/groupName/public}} returns
{{{}"updatedBy": "Admin"{}}}, whereas {{{}GET /service/xusers/groups/{id{}}}}
returns a masked value (e.g., {{{}"******"{}}}). This results in inconsistent
API behavior and leads to unintended exposure of user-related metadata through
one endpoint while it remains masked in another.
In below image the underlined red lines would show the true issue and mismatch
in masking field of vXGroup.
!image-2026-06-01-14-51-55-705.png!
> Inconsistent masking of updatedBy field in
> /xusers/groups/groupName/{group_name} API compared to /xusers/groups/{id}
> --------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-5624
> URL: https://issues.apache.org/jira/browse/RANGER-5624
> Project: Ranger
> Issue Type: Improvement
> Components: admin
> Affects Versions: 3.0.0
> Reporter: Krishna Chaitanya Muttevi
> Priority: Major
> Attachments: image-2026-06-01-14-52-31-185.png
>
>
> There is an inconsistency in the masking behavior of the {{updatedBy}} field
> in the {{VXGroup}} response across group retrieval APIs. When a group is
> fetched using {{{}/xusers/groups/\{id}{{}}}}, the {{updatedBy}} field is
> masked as expected. However, when the same group is retrieved using
> {{{}/xusers/groups/groupName/\{group_name}{{}}}}, the {{updatedBy}} field is
> returned with its actual value instead of being masked.
> For example, calling {{GET /service/xusers/groups/groupName/public}} returns
> {{{}"updatedBy": "Admin"{}}}, whereas {{{}GET /service/xusers/groups/{id{}}}}
> returns a masked value (e.g., {{{}"******"{}}}). This results in inconsistent
> API behavior and leads to unintended exposure of user-related metadata
> through one endpoint while it remains masked in another.
> In below image the underlined red lines would show the true issue and
> mismatch in masking field of vXGroup.
> !image-2026-06-01-14-52-31-185.png!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
