Skip to content

RANGER-5681: Align GDS secure download endpoint authorization with ot…#1067

Open
vyommani wants to merge 1 commit into
apache:masterfrom
vyommani:RANGER-5681
Open

RANGER-5681: Align GDS secure download endpoint authorization with ot…#1067
vyommani wants to merge 1 commit into
apache:masterfrom
vyommani:RANGER-5681

Conversation

@vyommani

Copy link
Copy Markdown
Contributor

GdsREST.getSecureServiceGdsInfoIfUpdated() (/service/gds/secure/download/{serviceName}) used a weaker validation path than the equivalent secure download endpoints for policies, roles, tags, and user-store data.

What changes were proposed in this pull request?

Replace serviceUtil.isValidateHttpsAuthentication(...) with serviceUtil.isValidService(...)
Add admin/allow-list authorization check (bizUtil.isAdmin(), bizUtil.isUserAllowed(..., Allowed_User_List_For_Download / Allowed_User_List_For_Grant_Revoke)), matching ServiceREST.getSecureServicePoliciesIfUpdated()
Return 403 when the caller isn't admin or allow-listed for the service

How was this patch tested?

Updated TestGdsREST with coverage for admin, allow-listed non-admin, and forbidden non-admin paths
Verified live: low-privileged authenticated user now gets 403 (was 200); admin and allow-listed users still get 200; sibling policy-download endpoint behavior unaffected (control)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant