krishnamuttevi opened a new pull request, #993:
URL: https://github.com/apache/ranger/pull/993
Currently, there is an inconsistency in the masking behavior of the
updatedBy field in VXGroup responses across group retrieval APIs. When a group
is fetched by its ID (GET /xusers/groups/{id}), the field is correctly masked
to prevent metadata leakage. However, retrieving the exact same group by its
name ( GET /xusers/groups/groupName/ group_name} ) bypasses this masking and
exposes the actual user value (e.g., "Admin"). This inconsistency leads to an
unreliable API contract and the unintended exposure of sensitive user-related
metadata.
This was solved by:
1. Resolve the group ID using the requested group name directly within the
xuserrest layer.
2. Route the subsequent retrieval call through the existing
xUserMgr.getXGroup(id) method.
3. Update the following unit tests accordingly
Align the underlying logic so both endpoints share the exact same retrieval
pipeline, ensuring the updatedBy field is consistently masked across all
responses.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
