[ https://issues.apache.org/jira/browse/RANGER-3623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bhavik Patel reassigned RANGER-3623: ------------------------------------ Assignee: kirby zhou > Add ability to enable anonymous download of policy/role/tag > ----------------------------------------------------------- > > Key: RANGER-3623 > URL: https://issues.apache.org/jira/browse/RANGER-3623 > Project: Ranger > Issue Type: Improvement > Components: admin > Affects Versions: 3.0.0, 2.3.0 > Reporter: kirby zhou > Assignee: kirby zhou > Priority: Major > Attachments: add-downloadonly-option.patch > > > Currently, we have an option ranger.admin.allow.unauthenticated.access to > allow unauthenticated clients to perform a series of API operations. This > option allows the client to perform both dangerous grant/revoke permission > operation and relatively safe download operation. > In many cases, allowing anonymous downloading of policy is not a serious risk > problem. On the contrary, the complicated kerberos and SSL settings make it > difficult for ranger plugin embedded in third-party services to complete the > task of refreshing policy, which may be a bigger problem. In particular, > refresh failure often has no obvious features for administrators to discover. > Therefore, I suggest that ranger increase the ability to allow client to > download policy/tag/roles anonymously. > There are two ways to achieve it. > > 1. Just limit the ability of "ranger.admin.allow.unauthenticated.access=true" > which needs to modify > "security-admin/src/main/resources/conf.dist/security-applicationContext.xml" > to remove dangerous operations from ' > security="none"'. > > 2. Add a candidate value "downloadonly" to > "ranger.admin.allow.unauthenticated.access" > Which needs modify ServiceRest.Java and BizUtil.java to implement the > enhanced checking logic. > > I have a patch for method2 -- This message was sent by Atlassian Jira (v8.20.1#820001)