You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by sm...@apache.org on 2018/06/29 19:21:07 UTC
[ambari] branch trunk updated: AMBARI-24224. Do not filter out /clusters//widgets; we do check authorization later on in the resource provider based on user name (#1650)

This is an automated email from the ASF dual-hosted git repository.

smolnar pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 83f7227  AMBARI-24224. Do not filter out /clusters/*/widgets*; we do check authorization later on in the resource provider based on user name (#1650)
83f7227 is described below

commit 83f7227d54654f6b8f43103ff4e6fb150cd3fc31
Author: Sandor Molnar <sm...@apache.org>
AuthorDate: Fri Jun 29 21:21:05 2018 +0200

    AMBARI-24224. Do not filter out /clusters/*/widgets*; we do check authorization later on in the resource provider based on user name (#1650)
---
 .../internal/ActiveWidgetLayoutResourceProvider.java        | 13 +++++++++++--
 .../security/authorization/AmbariAuthorizationFilter.java   |  2 ++
 .../internal/ActiveWidgetLayoutResourceProviderTest.java    | 13 ++++++++++++-
 .../authorization/AmbariAuthorizationFilterTest.java        |  5 ++++-
 4 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProvider.java
index ab18ed4..628c2eb 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProvider.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProvider.java
@@ -51,6 +51,7 @@ import org.apache.ambari.server.security.authorization.AuthorizationException;
 import org.apache.ambari.server.security.authorization.AuthorizationHelper;
 import org.apache.ambari.server.security.authorization.ResourceType;
 import org.apache.ambari.server.security.authorization.RoleAuthorization;
+import org.apache.commons.lang3.StringUtils;
 
 import com.google.gson.Gson;
 import com.google.gson.reflect.TypeToken;
@@ -152,7 +153,7 @@ public class ActiveWidgetLayoutResourceProvider extends AbstractControllerResour
         RoleAuthorization.AMBARI_MANAGE_USERS);
 
     for (Map<String, Object> propertyMap: propertyMaps) {
-      final String userName = propertyMap.get(WIDGETLAYOUT_USERNAME_PROPERTY_ID).toString();
+      final String userName = getUserName(propertyMap);
 
       // Ensure that the authenticated user has authorization to get this information
       if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
@@ -223,7 +224,7 @@ public class ActiveWidgetLayoutResourceProvider extends AbstractControllerResour
 
         for (Map<String, Object> propertyMap : propertyMaps) {
           // Ensure that the authenticated user has authorization to get this information
-          String userName = propertyMap.get(WIDGETLAYOUT_USERNAME_PROPERTY_ID).toString();
+          final String userName = getUserName(propertyMap);
           if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
             throw new AuthorizationException();
           }
@@ -252,6 +253,14 @@ public class ActiveWidgetLayoutResourceProvider extends AbstractControllerResour
     return getRequestStatus(null);
   }
 
+  private String getUserName(Map<String, Object> propertyMap) {
+    String userName = propertyMap.get(WIDGETLAYOUT_USERNAME_PROPERTY_ID) == null ? "" : propertyMap.get(WIDGETLAYOUT_USERNAME_PROPERTY_ID).toString();
+    if (StringUtils.isBlank(userName)) {
+      userName = AuthorizationHelper.getAuthenticatedName();
+    }
+    return userName;
+  }
+
   @Override
   public RequestStatus deleteResources(Request request, Predicate predicate)
       throws SystemException, UnsupportedPropertyException, NoSuchResourceException, NoSuchParentResourceException {
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
index 8c84363..27eee87 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
@@ -72,6 +72,7 @@ public class AmbariAuthorizationFilter implements Filter {
   private static final String API_GROUPS_ALL_PATTERN = API_VERSION_PREFIX + "/groups.*";
   private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\\w+/?)?";
   private static final String API_WIDGET_LAYOUTS_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/widget_layouts.*?";
+  private static final String API_WIDGET_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/widgets.*";
   private static final String API_CLUSTERS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters.*";
   private static final String API_VIEWS_ALL_PATTERN = API_VERSION_PREFIX + "/views.*";
   private static final String API_PERSIST_ALL_PATTERN = API_VERSION_PREFIX + "/persist.*";
@@ -342,6 +343,7 @@ public class AmbariAuthorizationFilter implements Filter {
         requestURI.matches(API_VIEWS_ALL_PATTERN) ||
         requestURI.matches(VIEWS_CONTEXT_PATH_PATTERN) ||
         requestURI.matches(API_WIDGET_LAYOUTS_PATTERN) ||
+        requestURI.matches(API_WIDGET_PATTERN) ||
         requestURI.matches(API_CLUSTER_HOSTS_ALL_PATTERN) ||
         requestURI.matches(API_CLUSTER_CONFIGURATIONS_ALL_PATTERN) ||
         requestURI.matches(API_CLUSTER_COMPONENTS_ALL_PATTERN) ||
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java
index 8bf8227..54e7d3d 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ActiveWidgetLayoutResourceProviderTest.java
@@ -149,6 +149,11 @@ public class ActiveWidgetLayoutResourceProviderTest extends EasyMockSupport {
     updateResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1", 2L), "User1");
   }
 
+  @Test
+  public void testUpdateResources_NoUserName_Self() throws Exception {
+    updateResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1", 2L), "User1", false);
+  }
+
   @Test(expected = AuthorizationException.class)
   public void testUpdateResources_NonAdministrator_Other() throws Exception {
     updateResourcesTest(TestAuthenticationFactory.createClusterAdministrator("User1", 2L), "User10");
@@ -255,6 +260,10 @@ public class ActiveWidgetLayoutResourceProviderTest extends EasyMockSupport {
   }
 
   private void updateResourcesTest(Authentication authentication, String requestedUsername) throws Exception {
+    updateResourcesTest(authentication, requestedUsername, true);
+  }
+
+  private void updateResourcesTest(Authentication authentication, String requestedUsername, boolean setUserName) throws Exception {
     Injector injector = createInjector();
 
     Capture<? extends String> widgetLayoutJsonCapture = newCapture();
@@ -293,7 +302,9 @@ public class ActiveWidgetLayoutResourceProviderTest extends EasyMockSupport {
 
     HashMap<String, Object> requestProps = new HashMap<>();
     requestProps.put(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT, widgetLayouts);
-    requestProps.put(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_USERNAME_PROPERTY_ID, requestedUsername);
+    if (setUserName) {
+      requestProps.put(ActiveWidgetLayoutResourceProvider.WIDGETLAYOUT_USERNAME_PROPERTY_ID, requestedUsername);
+    }
 
     Request request = PropertyHelper.getUpdateRequest(requestProps, null);
 
diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
index 112bea6..b5f9dfe 100644
--- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
+++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
@@ -187,10 +187,13 @@ public class AmbariAuthorizationFilterTest {
     urlTests.put("/api/v1/users/user2", "POST", true);
     urlTests.put("/api/v1/groups", "GET", true);
     urlTests.put("/api/v1/ldap_sync_events", "GET", false);
+    urlTests.put("/api/v1/clusters/c1/widgets", "GET", true);
+    urlTests.put("/api/v1/clusters/c1/widgets", "PUT", true);
+    urlTests.put("/api/v1/clusters/c1/widgets", "POST", true);
     urlTests.put("/any/other/URL", "GET", true);
     urlTests.put("/any/other/URL", "POST", false);
 
-    performGeneralDoFilterTest(TestAuthenticationFactory.createClusterAdministrator(), urlTests, false);
+    performGeneralDoFilterTest(TestAuthenticationFactory.createClusterOperator(), urlTests, false);
   }
 
   @Test
[ambari] branch trunk updated: AMBARI-24224. Do not filter out /clusters/*/widgets*; we do check authorization later on in the resource provider based on user name (#1650)

[ambari] branch trunk updated: AMBARI-24224. Do not filter out /clusters//widgets; we do check authorization later on in the resource provider based on user name (#1650)
