From 55d8587a7706dc4236fc22f770c5c7803262111e Mon Sep 17 00:00:00 2001
From: Vyom Mani Tiwari <vyommani@gmail.com>
Date: Wed, 17 Jun 2026 15:59:07 +0530
Subject: [PATCH] RANGER-5619: Keyadmin user unable to perform test connection
 for cm_kms service

---
 .../org/apache/ranger/rest/ServiceREST.java   | 12 ++++--
 .../apache/ranger/rest/TestServiceREST.java   | 38 +++++++++++++++++++
 2 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index 2cd449cba3..ea76f54155 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -196,7 +196,7 @@ public class ServiceREST {
     public static final String PURGE_RECORD_TYPE_LOGIN_LOGS         = "login_records";
     public static final String PURGE_RECORD_TYPE_TRX_LOGS           = "trx_records";
     public static final String PURGE_RECORD_TYPE_POLICY_EXPORT_LOGS = "policy_export_logs";
-    public static final String ERR_VALIDATE_CONFIG_ADMIN_ONLY       = "Only system administrators can validate service configs";
+    public static final String ERR_VALIDATE_CONFIG_ADMIN_ONLY       = "Only system administrators or key administrators can validate service configs";
 
     private final RangerAdminConfig config                              = RangerAdminConfig.getInstance();
     private final int               maxPolicyNameLength                 = config.getInt("ranger.policyname.maxlength", 255);
@@ -1080,8 +1080,14 @@ public VXResponse validateConfig(RangerService service) {
         RangerPerfTracer perf = null;
 
         if (!bizUtil.isAdmin()) {
-            LOG.warn("Unauthorized validateConfig attempt by user: {}", bizUtil.getCurrentUserLoginId());
-            throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, ERR_VALIDATE_CONFIG_ADMIN_ONLY, true);
+            if (!bizUtil.isKeyAdmin()) {
+                LOG.warn("Unauthorized validateConfig attempt by user: {}", bizUtil.getCurrentUserLoginId());
+                throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, ERR_VALIDATE_CONFIG_ADMIN_ONLY, true);
+            }
+            XXServiceDef serviceDef = daoManager.getXXServiceDef().findByName(service.getType());
+            if (serviceDef == null || !EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(serviceDef.getImplclassname())) {
+                throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, ERR_VALIDATE_CONFIG_ADMIN_ONLY, true);
+            }
         }
         try {
             if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index 0fc53d00d0..125940347f 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -1133,6 +1133,44 @@ public void test35ValidateConfig_NonAdminUser_ThrowsForbidden() throws Exception
         Mockito.verify(serviceMgr, Mockito.never()).validateConfig(Mockito.any(), Mockito.any());
     }
 
+    @Test
+    public void test35eValidateConfig_KeyAdminUser_KmsService_Succeeds() throws Exception {
+        RangerService rangerService = rangerService();
+        rangerService.setType("cm_kms");
+        Mockito.when(bizUtil.isAdmin()).thenReturn(false);
+        Mockito.when(bizUtil.isKeyAdmin()).thenReturn(true);
+        XXServiceDef xServiceDef = serviceDef();
+        XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
+        xServiceDef.setImplclassname(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME);
+        Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
+        Mockito.when(xServiceDefDao.findByName("cm_kms")).thenReturn(xServiceDef);
+        Mockito.when(serviceMgr.validateConfig(rangerService, svcStore)).thenReturn(vXResponse);
+        VXResponse result = serviceREST.validateConfig(rangerService);
+        Assertions.assertNotNull(result);
+        Mockito.verify(bizUtil).isAdmin();
+        Mockito.verify(bizUtil).isKeyAdmin();
+        Mockito.verify(serviceMgr).validateConfig(rangerService, svcStore);
+    }
+
+    @Test
+    public void test35fValidateConfig_KeyAdminUser_NonKmsService_ThrowsForbidden() throws Exception {
+        RangerService rangerService = rangerService();
+        rangerService.setType("hdfs");
+        Mockito.when(bizUtil.isAdmin()).thenReturn(false);
+        Mockito.when(bizUtil.isKeyAdmin()).thenReturn(true);
+        XXServiceDef xServiceDef = serviceDef();
+        XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
+        xServiceDef.setImplclassname("org.apache.ranger.services.hdfs.RangerServiceHdfs");
+        Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
+        Mockito.when(xServiceDefDao.findByName("hdfs")).thenReturn(xServiceDef);
+        Mockito.when(restErrorUtil.createRESTException(Mockito.eq(HttpServletResponse.SC_FORBIDDEN), Mockito.anyString(), Mockito.eq(true)))
+                .thenReturn(new WebApplicationException(HttpServletResponse.SC_FORBIDDEN));
+        Assertions.assertThrows(WebApplicationException.class, () -> serviceREST.validateConfig(rangerService));
+        Mockito.verify(bizUtil).isAdmin();
+        Mockito.verify(bizUtil).isKeyAdmin();
+        Mockito.verify(serviceMgr, Mockito.never()).validateConfig(Mockito.any(), Mockito.any());
+    }
+
     @Test
     public void test40applyPolicy() {
         RangerPolicy existingPolicy = rangerPolicy();