From 2050b4801e3ec05b7ad99c85698ea046afaee32f Mon Sep 17 00:00:00 2001
From: Rakesh Gupta <rakesh.gupta.dev264@gmail.com>
Date: Tue, 14 Jan 2025 16:44:13 +0530
Subject: [PATCH] RANGER-4875: Improve API /api/zones/{zoneId}/service-headers
 to filter services based on zone module access.

Signed-off-by: Dineshkumar Yadav <dineshkumar.yadav@outlook.com>
---
 .../java/org/apache/ranger/biz/SecurityZoneDBStore.java     | 6 ++++++
 .../main/java/org/apache/ranger/rest/SecurityZoneREST.java  | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java
index 547ed088ef..925a78d050 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/SecurityZoneDBStore.java
@@ -22,6 +22,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.apache.ranger.common.MessageEnums;
 import org.apache.ranger.common.RESTErrorUtil;
+import org.apache.ranger.common.RangerConstants;
 import org.apache.ranger.db.RangerDaoManager;
 import org.apache.ranger.entity.XXSecurityZone;
 import org.apache.ranger.entity.XXService;
@@ -38,6 +39,7 @@
 import org.apache.ranger.plugin.store.SecurityZonePredicateUtil;
 import org.apache.ranger.plugin.store.SecurityZoneStore;
 import org.apache.ranger.plugin.util.SearchFilter;
+import org.apache.ranger.rest.SecurityZoneREST;
 import org.apache.ranger.service.RangerBaseModelService;
 import org.apache.ranger.service.RangerSecurityZoneServiceService;
 import org.slf4j.Logger;
@@ -247,6 +249,10 @@ public List<RangerSecurityZoneHeaderInfo> getSecurityZoneHeaderInfoList(HttpServ
     }
 
     public List<RangerServiceHeaderInfo> getServiceHeaderInfoListByZoneId(Long zoneId, HttpServletRequest request) {
+        if (!bizUtil.hasModuleAccess(RangerConstants.MODULE_SECURITY_ZONE)) {
+            throw restErrorUtil.createRESTException(SecurityZoneREST.STR_USER_NOT_AUTHORIZED_TO_ACCESS_ZONE, MessageEnums.OPER_NO_PERMISSION);
+        }
+
         String  namePrefix         = request.getParameter(SearchFilter.SERVICE_NAME_PREFIX);
         boolean filterByNamePrefix = StringUtils.isNotBlank(namePrefix);
 
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java b/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
index 6689675058..adcbaa2189 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/SecurityZoneREST.java
@@ -90,7 +90,7 @@
 public class SecurityZoneREST {
     private static final Logger LOG = LoggerFactory.getLogger(SecurityZoneREST.class);
 
-    private static final String STR_USER_NOT_AUTHORIZED_TO_ACCESS_ZONE = "User is not authorized to access zone(s).";
+    public static final String STR_USER_NOT_AUTHORIZED_TO_ACCESS_ZONE = "User is not authorized to access zone(s).";
     private static final String ERR_ANOTHER_SEC_ZONE_OPER_IN_PROGRESS  = "Another security zone operation is already in progress";
 
     @Autowired