Skip to content

RANGER-5619: Keyadmin user unable to perform test connection for cm_k… #1024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pradeepagrawal8184 merged 1 commit into from
Jun 17, 2026
+47 −3
Merged

RANGER-5619: Keyadmin user unable to perform test connection for cm_k… #1024

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,7 +196,7 @@ public class ServiceREST {
public static final String PURGE_RECORD_TYPE_LOGIN_LOGS = "login_records";
public static final String PURGE_RECORD_TYPE_TRX_LOGS = "trx_records";
public static final String PURGE_RECORD_TYPE_POLICY_EXPORT_LOGS = "policy_export_logs";
public static final String ERR_VALIDATE_CONFIG_ADMIN_ONLY = "Only system administrators can validate service configs";
public static final String ERR_VALIDATE_CONFIG_ADMIN_ONLY = "Only system administrators or key administrators can validate service configs";

private final RangerAdminConfig config = RangerAdminConfig.getInstance();
private final int maxPolicyNameLength = config.getInt("ranger.policyname.maxlength", 255);
Expand Down Expand Up @@ -1080,8 +1080,14 @@ public VXResponse validateConfig(RangerService service) {
RangerPerfTracer perf = null;

if (!bizUtil.isAdmin()) {
LOG.warn("Unauthorized validateConfig attempt by user: {}", bizUtil.getCurrentUserLoginId());
throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, ERR_VALIDATE_CONFIG_ADMIN_ONLY, true);
if (!bizUtil.isKeyAdmin()) {
LOG.warn("Unauthorized validateConfig attempt by user: {}", bizUtil.getCurrentUserLoginId());
throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, ERR_VALIDATE_CONFIG_ADMIN_ONLY, true);
}
XXServiceDef serviceDef = daoManager.getXXServiceDef().findByName(service.getType());
if (serviceDef == null || !EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME.equals(serviceDef.getImplclassname())) {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, ERR_VALIDATE_CONFIG_ADMIN_ONLY, true);
}
}
try {
if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
Expand Down
38 changes: 38 additions & 0 deletions security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1133,6 +1133,44 @@ public void test35ValidateConfig_NonAdminUser_ThrowsForbidden() throws Exception
Mockito.verify(serviceMgr, Mockito.never()).validateConfig(Mockito.any(), Mockito.any());
}

@Test
public void test35eValidateConfig_KeyAdminUser_KmsService_Succeeds() throws Exception {
RangerService rangerService = rangerService();
rangerService.setType("cm_kms");
Mockito.when(bizUtil.isAdmin()).thenReturn(false);
Mockito.when(bizUtil.isKeyAdmin()).thenReturn(true);
XXServiceDef xServiceDef = serviceDef();
XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
xServiceDef.setImplclassname(EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME);
Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
Mockito.when(xServiceDefDao.findByName("cm_kms")).thenReturn(xServiceDef);
Mockito.when(serviceMgr.validateConfig(rangerService, svcStore)).thenReturn(vXResponse);
VXResponse result = serviceREST.validateConfig(rangerService);
Assertions.assertNotNull(result);
Mockito.verify(bizUtil).isAdmin();
Mockito.verify(bizUtil).isKeyAdmin();
Mockito.verify(serviceMgr).validateConfig(rangerService, svcStore);
}

@Test
public void test35fValidateConfig_KeyAdminUser_NonKmsService_ThrowsForbidden() throws Exception {
RangerService rangerService = rangerService();
rangerService.setType("hdfs");
Mockito.when(bizUtil.isAdmin()).thenReturn(false);
Mockito.when(bizUtil.isKeyAdmin()).thenReturn(true);
XXServiceDef xServiceDef = serviceDef();
XXServiceDefDao xServiceDefDao = Mockito.mock(XXServiceDefDao.class);
xServiceDef.setImplclassname("org.apache.ranger.services.hdfs.RangerServiceHdfs");
Mockito.when(daoManager.getXXServiceDef()).thenReturn(xServiceDefDao);
Mockito.when(xServiceDefDao.findByName("hdfs")).thenReturn(xServiceDef);
Mockito.when(restErrorUtil.createRESTException(Mockito.eq(HttpServletResponse.SC_FORBIDDEN), Mockito.anyString(), Mockito.eq(true)))
.thenReturn(new WebApplicationException(HttpServletResponse.SC_FORBIDDEN));
Assertions.assertThrows(WebApplicationException.class, () -> serviceREST.validateConfig(rangerService));
Mockito.verify(bizUtil).isAdmin();
Mockito.verify(bizUtil).isKeyAdmin();
Mockito.verify(serviceMgr, Mockito.never()).validateConfig(Mockito.any(), Mockito.any());
}

@Test
public void test40applyPolicy() {
RangerPolicy existingPolicy = rangerPolicy();
Expand Down