[
https://issues.apache.org/jira/browse/RANGER-5539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18075392#comment-18075392
]
Chinmay N Hegde edited comment on RANGER-5539 at 6/1/26 3:20 PM:
-----------------------------------------------------------------
Merged into apache master :
[https://github.com/apache/ranger/commit/13dc2c107a7704d10f784a922ebd51b416a89702]
Merged into apache 2.9.0:
[https://github.com/apache/ranger/commit/10383b64dfb763b5a37c1a6226238fd470dd4453]
was (Author: JIRAUSER309092):
Merged into apache master :
[https://github.com/apache/ranger/commit/13dc2c107a7704d10f784a922ebd51b416a89702]
> Add Authorisation Check for doAsUser Parameter
> ----------------------------------------------
>
> Key: RANGER-5539
> URL: https://issues.apache.org/jira/browse/RANGER-5539
> Project: Ranger
> Issue Type: Sub-task
> Components: Ranger, ranger-authn
> Reporter: Chinmay N Hegde
> Assignee: Chinmay N Hegde
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Currently {{RangerJwtAuthHandler}} accepts the {{doAsUser}} value directly
> from the incoming request and uses it to establish the authenticated user
> identity without performing any validation.
> So the user should be validated for impersonation permission on {{doAsUser}}
> parameter.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
