You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2017/01/23 14:46:50 UTC
Review Request 55843: Trailing slash (/) on cluster resource causes
incorrect authorization logic flow
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55843/
-----------------------------------------------------------
Review request for Ambari, Attila Magyar, Eugene Chekanskiy, Jonathan Hurley, and Laszlo Puskas.
Bugs: AMBARI-19670
https://issues.apache.org/jira/browse/AMBARI-19670
Repository: ambari
Description
-------
Trailing slash (/) on cluster resource causes incorrect authorization logic flow. It is debatable whether Ambari should allow this, but since it seems to in other cases - like if the user was an Ambari Administrator - this should be fixed.
The problem occurs in the `org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter` where the filter attempts to figure out what the user is trying to get access to. Since the regular expression for Cluster resources does acknowledge that a trailing "/" after the cluster name indicates a cluster, the request does not fall through to the Cluster resource handler (`org.apache.ambari.server.controller.internal.ClusterResourceProvider`) for authorization checks. It uses the legacy logic, which is a little flawed as well.
The fix for this is to allow the trailing "/" in the regular expression representing Cluster requests:
# From org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70
```
private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\w+)?";
```
# To org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70}
```
private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\w+/?)?";
```
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java 1faadb6
ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java 0ab75c5
Diff: https://reviews.apache.org/r/55843/diff/
Testing
-------
Manually tested
# Jenkins test reults: PENDING
Thanks,
Robert Levas