You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2017/01/23 14:46:50 UTC

Review Request 55843: Trailing slash (/) on cluster resource causes incorrect authorization logic flow

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55843/
-----------------------------------------------------------

Review request for Ambari, Attila Magyar, Eugene Chekanskiy, Jonathan Hurley, and Laszlo Puskas.


Bugs: AMBARI-19670
    https://issues.apache.org/jira/browse/AMBARI-19670


Repository: ambari


Description
-------

Trailing slash (/) on cluster resource causes incorrect authorization logic flow. It is debatable whether Ambari should allow this, but since it seems to in other cases - like if the user was an Ambari Administrator - this should be fixed. 

The problem occurs in the `org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter` where the filter attempts to figure out what the user is trying to get access to.  Since the regular expression for Cluster resources does acknowledge that a trailing "/" after the cluster name indicates a cluster, the request does not fall through to the Cluster resource handler (`org.apache.ambari.server.controller.internal.ClusterResourceProvider`) for authorization checks.  It uses the legacy logic, which is a little flawed as well.

The fix for this is to allow the trailing "/" in the regular expression representing Cluster requests:
# From org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70
```
  private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\w+)?";
```

# To org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70}
```
private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\w+/?)?";
```


Diffs
-----

  ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java 1faadb6 
  ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java 0ab75c5 

Diff: https://reviews.apache.org/r/55843/diff/


Testing
-------

Manually tested

# Jenkins test reults: PENDING


Thanks,

Robert Levas