You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/11/24 21:55:57 UTC
Review Request 40670: Change Anonymous API Authentication To A
Declared User
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40670/
-----------------------------------------------------------
Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, and Nate Cole.
Bugs: AMBARI-14044
https://issues.apache.org/jira/browse/AMBARI-14044
Repository: ambari
Description
-------
When using `api.authenticate=false`, REST requests to the Ambari APIs don't need to contain any user information. As a result, new code being placed which assumes an authenticated user will throw NPE exceptions:
```
// Ensure that the authenticated user has authorization to get this information
if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
throw new AuthorizationException();
}
```
```
java.lang.NullPointerException
at org.apache.ambari.server.controller.internal.ActiveWidgetLayoutResourceProvider.getResources(ActiveWidgetLayoutResourceProvider.java:156)
at org.apache.ambari.server.controller.internal.ClusterControllerImpl$ExtendedResourceProviderWrapper.queryForResources(ClusterControllerImpl.java:946)
at org.apache.ambari.server.controller.internal.ClusterControllerImpl.getResources(ClusterControllerImpl.java:132)
at org.apache.ambari.server.api.query.QueryImpl.doQuery(QueryImpl.java:512)
at org.apache.ambari.server.api.query.QueryImpl.queryForResources(QueryImpl.java:381)
at org.apache.ambari.server.api.query.QueryImpl.execute(QueryImpl.java:217)
```
Recommend changing this option to something like
```
api.authenticated.user=admin
```
This will preserve the existing functionality while allowing the new code to continue to assume authenticated users.
Diffs
-----
ambari-server/conf/unix/ambari.properties ed45ffe
ambari-server/conf/windows/ambari.properties 570e904
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ee26264
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 56034d9
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java 7a2f7d2
ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java f735a3c
ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java d4ceb23
ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java bac556e
ambari-server/src/test/python/stacks/2.3/common/services-hawq-1-host.json 53b3e08
ambari-server/src/test/python/stacks/2.3/common/services-hawq-3-hosts.json 53b3e08
ambari-server/src/test/python/stacks/2.3/common/services-master_ambari_colo-3-hosts.json 876f577
ambari-server/src/test/python/stacks/2.3/common/services-master_standby_colo-3-hosts.json f600e9b
ambari-server/src/test/python/stacks/2.3/common/services-nohawq-3-hosts.json a5fc45d
ambari-server/src/test/python/stacks/2.3/common/services-normal-hawq-3-hosts.json 9fab56d
ambari-server/src/test/python/stacks/2.3/common/services-normal-nohawq-3-hosts.json aec23c8
ambari-server/src/test/python/stacks/2.3/common/services-standby_ambari_colo-3-hosts.json ca0637c
ambari-web/app/assets/data/services/ambari.json 0d54fc8
contrib/ambari-scom/ambari-scom-server/conf/ambari.properties c734b71
contrib/ambari-scom/ambari-scom-server/src/test/resources/ambari.properties 67dbf7f
Diff: https://reviews.apache.org/r/40670/diff/
Testing
-------
Manually tested
# Local test results: PASSED
# Jenkins test result: PENDING
Thanks,
Robert Levas
Re: Review Request 40670: Change Anonymous API Authentication To A
Declared User
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40670/
-----------------------------------------------------------
(Updated Nov. 24, 2015, 5:18 p.m.)
Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, and Nate Cole.
Bugs: AMBARI-14044
https://issues.apache.org/jira/browse/AMBARI-14044
Repository: ambari
Description
-------
When using `api.authenticate=false`, REST requests to the Ambari APIs don't need to contain any user information. As a result, new code being placed which assumes an authenticated user will throw NPE exceptions:
```
// Ensure that the authenticated user has authorization to get this information
if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
throw new AuthorizationException();
}
```
```
java.lang.NullPointerException
at org.apache.ambari.server.controller.internal.ActiveWidgetLayoutResourceProvider.getResources(ActiveWidgetLayoutResourceProvider.java:156)
at org.apache.ambari.server.controller.internal.ClusterControllerImpl$ExtendedResourceProviderWrapper.queryForResources(ClusterControllerImpl.java:946)
at org.apache.ambari.server.controller.internal.ClusterControllerImpl.getResources(ClusterControllerImpl.java:132)
at org.apache.ambari.server.api.query.QueryImpl.doQuery(QueryImpl.java:512)
at org.apache.ambari.server.api.query.QueryImpl.queryForResources(QueryImpl.java:381)
at org.apache.ambari.server.api.query.QueryImpl.execute(QueryImpl.java:217)
```
Recommend changing this option to something like
```
api.authenticated.user=admin
```
This will preserve the existing functionality while allowing the new code to continue to assume authenticated users.
Diffs (updated)
-----
ambari-server/conf/unix/ambari.properties ed45ffe
ambari-server/conf/windows/ambari.properties 570e904
ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ee26264
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java bd7ac48
ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java 7a2f7d2
ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java f735a3c
ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java d4ceb23
ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java bac556e
ambari-server/src/test/python/stacks/2.3/common/services-hawq-1-host.json 53b3e08
ambari-server/src/test/python/stacks/2.3/common/services-hawq-3-hosts.json 53b3e08
ambari-server/src/test/python/stacks/2.3/common/services-master_ambari_colo-3-hosts.json 876f577
ambari-server/src/test/python/stacks/2.3/common/services-master_standby_colo-3-hosts.json f600e9b
ambari-server/src/test/python/stacks/2.3/common/services-nohawq-3-hosts.json a5fc45d
ambari-server/src/test/python/stacks/2.3/common/services-normal-hawq-3-hosts.json 9fab56d
ambari-server/src/test/python/stacks/2.3/common/services-normal-nohawq-3-hosts.json aec23c8
ambari-server/src/test/python/stacks/2.3/common/services-standby_ambari_colo-3-hosts.json ca0637c
ambari-web/app/assets/data/services/ambari.json 0d54fc8
contrib/ambari-scom/ambari-scom-server/conf/ambari.properties c734b71
contrib/ambari-scom/ambari-scom-server/src/test/resources/ambari.properties 67dbf7f
Diff: https://reviews.apache.org/r/40670/diff/
Testing
-------
Manually tested
# Local test results: PASSED
# Jenkins test result: PENDING
Thanks,
Robert Levas
Re: Review Request 40670: Change Anonymous API Authentication To A
Declared User
Posted by Nate Cole <nc...@hortonworks.com>.
> On Nov. 24, 2015, 4:03 p.m., Jonathan Hurley wrote:
> > ambari-server/conf/unix/ambari.properties, lines 115-116
> > <https://reviews.apache.org/r/40670/diff/1/?file=1139118#file1139118line115>
> >
> > I don't think anyone would normally use this aside from developers. Should we keep it in these files?
Agreed, let's not keep this one in files.
- Nate
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40670/#review107840
-----------------------------------------------------------
On Nov. 24, 2015, 3:55 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40670/
> -----------------------------------------------------------
>
> (Updated Nov. 24, 2015, 3:55 p.m.)
>
>
> Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, and Nate Cole.
>
>
> Bugs: AMBARI-14044
> https://issues.apache.org/jira/browse/AMBARI-14044
>
>
> Repository: ambari
>
>
> Description
> -------
>
> When using `api.authenticate=false`, REST requests to the Ambari APIs don't need to contain any user information. As a result, new code being placed which assumes an authenticated user will throw NPE exceptions:
>
> ```
> // Ensure that the authenticated user has authorization to get this information
> if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
> throw new AuthorizationException();
> }
> ```
>
> ```
> java.lang.NullPointerException
> at org.apache.ambari.server.controller.internal.ActiveWidgetLayoutResourceProvider.getResources(ActiveWidgetLayoutResourceProvider.java:156)
> at org.apache.ambari.server.controller.internal.ClusterControllerImpl$ExtendedResourceProviderWrapper.queryForResources(ClusterControllerImpl.java:946)
> at org.apache.ambari.server.controller.internal.ClusterControllerImpl.getResources(ClusterControllerImpl.java:132)
> at org.apache.ambari.server.api.query.QueryImpl.doQuery(QueryImpl.java:512)
> at org.apache.ambari.server.api.query.QueryImpl.queryForResources(QueryImpl.java:381)
> at org.apache.ambari.server.api.query.QueryImpl.execute(QueryImpl.java:217)
> ```
>
> Recommend changing this option to something like
> ```
> api.authenticated.user=admin
> ```
>
> This will preserve the existing functionality while allowing the new code to continue to assume authenticated users.
>
>
> Diffs
> -----
>
> ambari-server/conf/unix/ambari.properties ed45ffe
> ambari-server/conf/windows/ambari.properties 570e904
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ee26264
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 56034d9
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java 7a2f7d2
> ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java f735a3c
> ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java d4ceb23
> ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java bac556e
> ambari-server/src/test/python/stacks/2.3/common/services-hawq-1-host.json 53b3e08
> ambari-server/src/test/python/stacks/2.3/common/services-hawq-3-hosts.json 53b3e08
> ambari-server/src/test/python/stacks/2.3/common/services-master_ambari_colo-3-hosts.json 876f577
> ambari-server/src/test/python/stacks/2.3/common/services-master_standby_colo-3-hosts.json f600e9b
> ambari-server/src/test/python/stacks/2.3/common/services-nohawq-3-hosts.json a5fc45d
> ambari-server/src/test/python/stacks/2.3/common/services-normal-hawq-3-hosts.json 9fab56d
> ambari-server/src/test/python/stacks/2.3/common/services-normal-nohawq-3-hosts.json aec23c8
> ambari-server/src/test/python/stacks/2.3/common/services-standby_ambari_colo-3-hosts.json ca0637c
> ambari-web/app/assets/data/services/ambari.json 0d54fc8
> contrib/ambari-scom/ambari-scom-server/conf/ambari.properties c734b71
> contrib/ambari-scom/ambari-scom-server/src/test/resources/ambari.properties 67dbf7f
>
> Diff: https://reviews.apache.org/r/40670/diff/
>
>
> Testing
> -------
>
> Manually tested
>
> # Local test results: PASSED
>
> # Jenkins test result: PENDING
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 40670: Change Anonymous API Authentication To A
Declared User
Posted by Jonathan Hurley <jh...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40670/#review107840
-----------------------------------------------------------
Ship it!
ambari-server/conf/unix/ambari.properties (lines 114 - 115)
<https://reviews.apache.org/r/40670/#comment167167>
I don't think anyone would normally use this aside from developers. Should we keep it in these files?
- Jonathan Hurley
On Nov. 24, 2015, 3:55 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40670/
> -----------------------------------------------------------
>
> (Updated Nov. 24, 2015, 3:55 p.m.)
>
>
> Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, and Nate Cole.
>
>
> Bugs: AMBARI-14044
> https://issues.apache.org/jira/browse/AMBARI-14044
>
>
> Repository: ambari
>
>
> Description
> -------
>
> When using `api.authenticate=false`, REST requests to the Ambari APIs don't need to contain any user information. As a result, new code being placed which assumes an authenticated user will throw NPE exceptions:
>
> ```
> // Ensure that the authenticated user has authorization to get this information
> if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
> throw new AuthorizationException();
> }
> ```
>
> ```
> java.lang.NullPointerException
> at org.apache.ambari.server.controller.internal.ActiveWidgetLayoutResourceProvider.getResources(ActiveWidgetLayoutResourceProvider.java:156)
> at org.apache.ambari.server.controller.internal.ClusterControllerImpl$ExtendedResourceProviderWrapper.queryForResources(ClusterControllerImpl.java:946)
> at org.apache.ambari.server.controller.internal.ClusterControllerImpl.getResources(ClusterControllerImpl.java:132)
> at org.apache.ambari.server.api.query.QueryImpl.doQuery(QueryImpl.java:512)
> at org.apache.ambari.server.api.query.QueryImpl.queryForResources(QueryImpl.java:381)
> at org.apache.ambari.server.api.query.QueryImpl.execute(QueryImpl.java:217)
> ```
>
> Recommend changing this option to something like
> ```
> api.authenticated.user=admin
> ```
>
> This will preserve the existing functionality while allowing the new code to continue to assume authenticated users.
>
>
> Diffs
> -----
>
> ambari-server/conf/unix/ambari.properties ed45ffe
> ambari-server/conf/windows/ambari.properties 570e904
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ee26264
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 56034d9
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java 7a2f7d2
> ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java f735a3c
> ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java d4ceb23
> ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java bac556e
> ambari-server/src/test/python/stacks/2.3/common/services-hawq-1-host.json 53b3e08
> ambari-server/src/test/python/stacks/2.3/common/services-hawq-3-hosts.json 53b3e08
> ambari-server/src/test/python/stacks/2.3/common/services-master_ambari_colo-3-hosts.json 876f577
> ambari-server/src/test/python/stacks/2.3/common/services-master_standby_colo-3-hosts.json f600e9b
> ambari-server/src/test/python/stacks/2.3/common/services-nohawq-3-hosts.json a5fc45d
> ambari-server/src/test/python/stacks/2.3/common/services-normal-hawq-3-hosts.json 9fab56d
> ambari-server/src/test/python/stacks/2.3/common/services-normal-nohawq-3-hosts.json aec23c8
> ambari-server/src/test/python/stacks/2.3/common/services-standby_ambari_colo-3-hosts.json ca0637c
> ambari-web/app/assets/data/services/ambari.json 0d54fc8
> contrib/ambari-scom/ambari-scom-server/conf/ambari.properties c734b71
> contrib/ambari-scom/ambari-scom-server/src/test/resources/ambari.properties 67dbf7f
>
> Diff: https://reviews.apache.org/r/40670/diff/
>
>
> Testing
> -------
>
> Manually tested
>
> # Local test results: PASSED
>
> # Jenkins test result: PENDING
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 40670: Change Anonymous API Authentication To A
Declared User
Posted by Nate Cole <nc...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40670/#review107843
-----------------------------------------------------------
Ship it!
Ship It!
- Nate Cole
On Nov. 24, 2015, 3:55 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40670/
> -----------------------------------------------------------
>
> (Updated Nov. 24, 2015, 3:55 p.m.)
>
>
> Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, and Nate Cole.
>
>
> Bugs: AMBARI-14044
> https://issues.apache.org/jira/browse/AMBARI-14044
>
>
> Repository: ambari
>
>
> Description
> -------
>
> When using `api.authenticate=false`, REST requests to the Ambari APIs don't need to contain any user information. As a result, new code being placed which assumes an authenticated user will throw NPE exceptions:
>
> ```
> // Ensure that the authenticated user has authorization to get this information
> if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
> throw new AuthorizationException();
> }
> ```
>
> ```
> java.lang.NullPointerException
> at org.apache.ambari.server.controller.internal.ActiveWidgetLayoutResourceProvider.getResources(ActiveWidgetLayoutResourceProvider.java:156)
> at org.apache.ambari.server.controller.internal.ClusterControllerImpl$ExtendedResourceProviderWrapper.queryForResources(ClusterControllerImpl.java:946)
> at org.apache.ambari.server.controller.internal.ClusterControllerImpl.getResources(ClusterControllerImpl.java:132)
> at org.apache.ambari.server.api.query.QueryImpl.doQuery(QueryImpl.java:512)
> at org.apache.ambari.server.api.query.QueryImpl.queryForResources(QueryImpl.java:381)
> at org.apache.ambari.server.api.query.QueryImpl.execute(QueryImpl.java:217)
> ```
>
> Recommend changing this option to something like
> ```
> api.authenticated.user=admin
> ```
>
> This will preserve the existing functionality while allowing the new code to continue to assume authenticated users.
>
>
> Diffs
> -----
>
> ambari-server/conf/unix/ambari.properties ed45ffe
> ambari-server/conf/windows/ambari.properties 570e904
> ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ee26264
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 56034d9
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java 7a2f7d2
> ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java f735a3c
> ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java d4ceb23
> ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java bac556e
> ambari-server/src/test/python/stacks/2.3/common/services-hawq-1-host.json 53b3e08
> ambari-server/src/test/python/stacks/2.3/common/services-hawq-3-hosts.json 53b3e08
> ambari-server/src/test/python/stacks/2.3/common/services-master_ambari_colo-3-hosts.json 876f577
> ambari-server/src/test/python/stacks/2.3/common/services-master_standby_colo-3-hosts.json f600e9b
> ambari-server/src/test/python/stacks/2.3/common/services-nohawq-3-hosts.json a5fc45d
> ambari-server/src/test/python/stacks/2.3/common/services-normal-hawq-3-hosts.json 9fab56d
> ambari-server/src/test/python/stacks/2.3/common/services-normal-nohawq-3-hosts.json aec23c8
> ambari-server/src/test/python/stacks/2.3/common/services-standby_ambari_colo-3-hosts.json ca0637c
> ambari-web/app/assets/data/services/ambari.json 0d54fc8
> contrib/ambari-scom/ambari-scom-server/conf/ambari.properties c734b71
> contrib/ambari-scom/ambari-scom-server/src/test/resources/ambari.properties 67dbf7f
>
> Diff: https://reviews.apache.org/r/40670/diff/
>
>
> Testing
> -------
>
> Manually tested
>
> # Local test results: PASSED
>
> # Jenkins test result: PENDING
>
>
> Thanks,
>
> Robert Levas
>
>