RANGER-5567: allow validateConfig API available only for users with Ranger admin role#931
RANGER-5567: allow validateConfig API available only for users with Ranger admin role#931vyommani wants to merge 2 commits intoapache:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR aims to restrict access to the ServiceREST.validateConfig API, and it also introduces Hive JDBC URL validation to block potentially dangerous JDBC parameters before connecting.
Changes:
- Re-maps
RangerAPIList.VALIDATE_CONFIGto a different UI/module association inRangerAPIMapping. - Adds a new
JdbcUrlValidatorand a comprehensive JUnit test suite for it. - Wires JDBC URL validation into
HiveClientconnection initialization.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java | Adjusts which UI tab/module is associated with VALIDATE_CONFIG for authorization decisions. |
| hive-agent/src/main/java/org/apache/ranger/services/hive/client/HiveClient.java | Invokes JDBC URL validation prior to attempting a JDBC connection. |
| hive-agent/src/main/java/org/apache/ranger/services/hive/client/JdbcUrlValidator.java | New validator that rejects JDBC URLs with prohibited/dangerous parameter names/patterns. |
| hive-agent/src/test/java/org/apache/ranger/services/hive/client/JdbcUrlValidatorTest.java | New test coverage for URL validation, bypass attempts, and sanitization. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| apiAssociatedWithUserAndGroups.add(RangerAPIList.SECURE_GET_X_USER); | ||
| apiAssociatedWithUserAndGroups.add(RangerAPIList.UPDATE_X_AUDIT_MAP); | ||
| apiAssociatedWithUserAndGroups.add(RangerAPIList.UPDATE_X_PERM_MAP); | ||
| apiAssociatedWithUserAndGroups.add(RangerAPIList.VALIDATE_CONFIG); |
There was a problem hiding this comment.
Adding VALIDATE_CONFIG to the Users/Groups tab (and removing it from Resource Based Policies) does not make the validateConfig API admin-only, because VALIDATE_CONFIG is still mapped under other tabs (e.g., Tag Based Policies and Key Manager earlier in this same file). Since isAPIAccessible() grants access if the user has any of the associated tab permissions, non-admin users with those modules will still be able to call /services/validateConfig. To restrict this API to Ranger admin only, remove VALIDATE_CONFIG from the other tab mappings and/or change the endpoint authorization to use isAdminRole() (or equivalent) instead of tab-based access.
| apiAssociatedWithUserAndGroups.add(RangerAPIList.VALIDATE_CONFIG); |
What changes were proposed in this pull request?
allow validateConfig API available only for users with Ranger admin role
How was this patch tested?
mvn clean install is success and added the new tests as well.