Re: [PR] RANGER-5627: Support configuration-based super users and super groups in Ranger Admin [ranger]

Mon, 08 Jun 2026 21:45:12 -0700 


ramackri commented on code in PR #1000:
URL: https://github.com/apache/ranger/pull/1000#discussion_r3377984943


##########
security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java:
##########
@@ -457,7 +457,8 @@ public VXUserList searchXUsers(@Context HttpServletRequest 
request, @QueryParam(
                     hasRole = 
!userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN) ? 
userRolesList.add(RangerConstants.ROLE_KEY_ADMIN) : hasRole;
                     hasRole = 
!userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) ? 
userRolesList.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) : hasRole;
                     hasRole = 
!userRolesList.contains(RangerConstants.ROLE_USER) ? 
userRolesList.add(RangerConstants.ROLE_USER) : hasRole;
-                } else if 
(loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) {
+                } else if (userSession.isSingleRoleUserSession()) {

Review Comment:
   Good catch — simplified the guard to `!userRolesList.contains(ROLE_USER)` 
(dropping the dead `size() != 1` check). The 403 is still thrown when the 
search criteria request a non-ROLE_USER role. Fixed in 0463bda0f.



##########
security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java:
##########
@@ -1153,6 +1159,43 @@ public Collection<String> getRolesByLoginId(String 
loginId) {
         return roleList;
     }
 
+    /**
+     * Returns DB roles augmented with config super-user roles for
+     * Spring Security authentication.
+     * Does not modify {@code x_portal_user_role}; use
+     * {@link #getRolesByLoginId(String)} for DB-only roles.
+     *
+     * @param loginId portal login id
+     * @return DB roles plus config super-user roles when applicable
+     */
+    public Collection<String> getAuthenticationRolesByLoginId(final String 
loginId) {

Review Comment:
   Done (0463bda0f) — removed `getAuthenticationRolesByLoginId()`. Config 
super-user role overlay is now appended at the end of existing 
`getRolesByLoginId()`; DB role resolution logic is unchanged. Auth filters and 
`RangerAuthenticationProvider` call `getRolesByLoginId()` directly.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to