[ https://issues.apache.org/jira/browse/RANGER-3502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kishor Gollapalliwar updated RANGER-3502: ----------------------------------------- Summary: Make GET zones API accessible to authorized users only (was: Make get zones API accessible to authorized users) > Make GET zones API accessible to authorized users only > ------------------------------------------------------ > > Key: RANGER-3502 > URL: https://issues.apache.org/jira/browse/RANGER-3502 > Project: Ranger > Issue Type: Bug > Components: Ranger > Reporter: Kishor Gollapalliwar > Assignee: Kishor Gollapalliwar > Priority: Major > > Currently get > [zones|https://ranger.apache.org/apidocs/resource_SecurityZoneREST.html#resource_SecurityZoneREST_getAllZones_GET] > API returns all zones even for users who are not authorized to zone modules. > Restrict this API to only users who are authorized to zone module. > Steps to reproduce: > # Create a internal user name, test_user1 > # Remove the permission on Security Zone module for a user > # Login as test_user1 user to Ranger Admin, user should not be able to see > Security Zone tab > # Access the API using curl > {code:java} > curl -ikv -u test_user1:pass@123 -X GET -H "Accept:application/json" -H > "Content-Type:application/json" > "https://<RANGER_ADMIN_HOST>:6182/service/zones/zones" > {code} > -- This message was sent by Atlassian Jira (v8.3.4#803005)