RANGER-5342: USER-role users with names similar to admin or keyadmin can query those admin/keyadmin users.

RakeshGuptaDev · RakeshGuptaDev · commit a3f2ba448b04 · 2025-10-07T17:57:45.000+05:30
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
@@ -111,6 +111,7 @@
 import javax.ws.rs.core.Response;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -457,13 +458,27 @@ public VXUserList searchXUsers(@Context HttpServletRequest request, @QueryParam(
                     hasRole = !userRolesList.contains(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) ? userRolesList.add(RangerConstants.ROLE_KEY_ADMIN_AUDITOR) : hasRole;
                     hasRole = !userRolesList.contains(RangerConstants.ROLE_USER) ? userRolesList.add(RangerConstants.ROLE_USER) : hasRole;
                 } else if (loggedInVXUser.getUserRoleList().contains(RangerConstants.ROLE_USER)) {
+                    if ((CollectionUtils.isNotEmpty(userRolesList) && (userRolesList.size() != 1 || !userRolesList.contains(RangerConstants.ROLE_USER)))
+                            || (userRole != null && !RangerConstants.ROLE_USER.equals(userRole))) {
+                        throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data.");
+                    }
+
                     logger.info("Logged-In user having user role will be able to fetch his own user details.");
 
-                    if (!searchCriteria.getParamList().containsKey("name")) {
-                        searchCriteria.addParam("name", loggedInVXUser.getName());
-                    } else if (searchCriteria.getParamList().containsKey("name") && !stringUtil.isEmpty(searchCriteria.getParamValue("name").toString()) && !searchCriteria.getParamValue("name").toString().equalsIgnoreCase(loggedInVXUser.getName())) {
+                    if (searchCriteria.getParamList().containsKey("name") && !stringUtil.isEmpty(searchCriteria.getParamValue("name").toString()) && !searchCriteria.getParamValue("name").toString().equalsIgnoreCase(loggedInVXUser.getName())) {
                         throw restErrorUtil.create403RESTException("Logged-In user is not allowed to access requested user data.");
                     }
+
+                    VXUserList vXUserList = new VXUserList();
+                    vXUserList.setVXUsers(Collections.singletonList(xUserMgr.getMaskedVXUser(loggedInVXUser)));
+                    vXUserList.setStartIndex(searchCriteria.getStartIndex());
+                    vXUserList.setResultSize(vXUserList.getVXUsers().size());
+                    vXUserList.setTotalCount(vXUserList.getVXUsers().size());
+                    vXUserList.setPageSize(searchCriteria.getMaxRows());
+                    vXUserList.setSortBy(searchCriteria.getSortBy());
+                    vXUserList.setSortType(searchCriteria.getSortType());
+
+                    return vXUserList;
                 }
             }
         }
