| Note |
|---|
Before reporting any security related JIRAs, please go through Apache's guidance for VULNERABILITY HANDLING Please see Lock down Apache Ranger for production deployments |
Fixed in Ranger 0.7.1
...
CVE-2017-7676: Apache Ranger policy evaluation ignores characters after ‘*’ wildcard character
...
Credit: Thanks to Jakub Kałużny from SecuRing for reporting this issue
Best Practices for Securing Ranger
...
- After installation, update passwords for admin accounts. Below admin accounts are created by default.
- admin - change password in Ranger UI
- keyadmin - change password in Ranger UI
- rangerusersync - Use the steps listed in the article Updating rangerusersync password
- rangertagsync - Use the steps listed in the article Tag Sync installation and configuration
- Enable SSL
...