You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/11/24 21:55:57 UTC

Review Request 40670: Change Anonymous API Authentication To A Declared User

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40670/
-----------------------------------------------------------

Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, and Nate Cole.


Bugs: AMBARI-14044
    https://issues.apache.org/jira/browse/AMBARI-14044


Repository: ambari


Description
-------

When using `api.authenticate=false`, REST requests to the Ambari APIs don't need to contain any user information. As a result, new code being placed which assumes an authenticated user will throw NPE exceptions:

```
// Ensure that the authenticated user has authorization to get this information
      if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
        throw new AuthorizationException();
      }
```

```
java.lang.NullPointerException
	at org.apache.ambari.server.controller.internal.ActiveWidgetLayoutResourceProvider.getResources(ActiveWidgetLayoutResourceProvider.java:156)
	at org.apache.ambari.server.controller.internal.ClusterControllerImpl$ExtendedResourceProviderWrapper.queryForResources(ClusterControllerImpl.java:946)
	at org.apache.ambari.server.controller.internal.ClusterControllerImpl.getResources(ClusterControllerImpl.java:132)
	at org.apache.ambari.server.api.query.QueryImpl.doQuery(QueryImpl.java:512)
	at org.apache.ambari.server.api.query.QueryImpl.queryForResources(QueryImpl.java:381)
	at org.apache.ambari.server.api.query.QueryImpl.execute(QueryImpl.java:217)
```

Recommend changing this option to something like
```
api.authenticated.user=admin
```

This will preserve the existing functionality while allowing the new code to continue to assume authenticated users.


Diffs
-----

  ambari-server/conf/unix/ambari.properties ed45ffe 
  ambari-server/conf/windows/ambari.properties 570e904 
  ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ee26264 
  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 56034d9 
  ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java 7a2f7d2 
  ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java f735a3c 
  ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java d4ceb23 
  ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java bac556e 
  ambari-server/src/test/python/stacks/2.3/common/services-hawq-1-host.json 53b3e08 
  ambari-server/src/test/python/stacks/2.3/common/services-hawq-3-hosts.json 53b3e08 
  ambari-server/src/test/python/stacks/2.3/common/services-master_ambari_colo-3-hosts.json 876f577 
  ambari-server/src/test/python/stacks/2.3/common/services-master_standby_colo-3-hosts.json f600e9b 
  ambari-server/src/test/python/stacks/2.3/common/services-nohawq-3-hosts.json a5fc45d 
  ambari-server/src/test/python/stacks/2.3/common/services-normal-hawq-3-hosts.json 9fab56d 
  ambari-server/src/test/python/stacks/2.3/common/services-normal-nohawq-3-hosts.json aec23c8 
  ambari-server/src/test/python/stacks/2.3/common/services-standby_ambari_colo-3-hosts.json ca0637c 
  ambari-web/app/assets/data/services/ambari.json 0d54fc8 
  contrib/ambari-scom/ambari-scom-server/conf/ambari.properties c734b71 
  contrib/ambari-scom/ambari-scom-server/src/test/resources/ambari.properties 67dbf7f 

Diff: https://reviews.apache.org/r/40670/diff/


Testing
-------

Manually tested

# Local test results: PASSED

# Jenkins test result: PENDING


Thanks,

Robert Levas

Re: Review Request 40670: Change Anonymous API Authentication To A Declared User

Posted by Robert Levas <rl...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40670/
-----------------------------------------------------------

(Updated Nov. 24, 2015, 5:18 p.m.)


Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, and Nate Cole.


Bugs: AMBARI-14044
    https://issues.apache.org/jira/browse/AMBARI-14044


Repository: ambari


Description
-------

When using `api.authenticate=false`, REST requests to the Ambari APIs don't need to contain any user information. As a result, new code being placed which assumes an authenticated user will throw NPE exceptions:

```
// Ensure that the authenticated user has authorization to get this information
      if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
        throw new AuthorizationException();
      }
```

```
java.lang.NullPointerException
	at org.apache.ambari.server.controller.internal.ActiveWidgetLayoutResourceProvider.getResources(ActiveWidgetLayoutResourceProvider.java:156)
	at org.apache.ambari.server.controller.internal.ClusterControllerImpl$ExtendedResourceProviderWrapper.queryForResources(ClusterControllerImpl.java:946)
	at org.apache.ambari.server.controller.internal.ClusterControllerImpl.getResources(ClusterControllerImpl.java:132)
	at org.apache.ambari.server.api.query.QueryImpl.doQuery(QueryImpl.java:512)
	at org.apache.ambari.server.api.query.QueryImpl.queryForResources(QueryImpl.java:381)
	at org.apache.ambari.server.api.query.QueryImpl.execute(QueryImpl.java:217)
```

Recommend changing this option to something like
```
api.authenticated.user=admin
```

This will preserve the existing functionality while allowing the new code to continue to assume authenticated users.


Diffs (updated)
-----

  ambari-server/conf/unix/ambari.properties ed45ffe 
  ambari-server/conf/windows/ambari.properties 570e904 
  ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ee26264 
  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java bd7ac48 
  ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java 7a2f7d2 
  ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java f735a3c 
  ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java d4ceb23 
  ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java bac556e 
  ambari-server/src/test/python/stacks/2.3/common/services-hawq-1-host.json 53b3e08 
  ambari-server/src/test/python/stacks/2.3/common/services-hawq-3-hosts.json 53b3e08 
  ambari-server/src/test/python/stacks/2.3/common/services-master_ambari_colo-3-hosts.json 876f577 
  ambari-server/src/test/python/stacks/2.3/common/services-master_standby_colo-3-hosts.json f600e9b 
  ambari-server/src/test/python/stacks/2.3/common/services-nohawq-3-hosts.json a5fc45d 
  ambari-server/src/test/python/stacks/2.3/common/services-normal-hawq-3-hosts.json 9fab56d 
  ambari-server/src/test/python/stacks/2.3/common/services-normal-nohawq-3-hosts.json aec23c8 
  ambari-server/src/test/python/stacks/2.3/common/services-standby_ambari_colo-3-hosts.json ca0637c 
  ambari-web/app/assets/data/services/ambari.json 0d54fc8 
  contrib/ambari-scom/ambari-scom-server/conf/ambari.properties c734b71 
  contrib/ambari-scom/ambari-scom-server/src/test/resources/ambari.properties 67dbf7f 

Diff: https://reviews.apache.org/r/40670/diff/


Testing
-------

Manually tested

# Local test results: PASSED

# Jenkins test result: PENDING


Thanks,

Robert Levas

Re: Review Request 40670: Change Anonymous API Authentication To A Declared User

Posted by Nate Cole <nc...@hortonworks.com>.


> On Nov. 24, 2015, 4:03 p.m., Jonathan Hurley wrote:
> > ambari-server/conf/unix/ambari.properties, lines 115-116
> > <https://reviews.apache.org/r/40670/diff/1/?file=1139118#file1139118line115>
> >
> >     I don't think anyone would normally use this aside from developers. Should we keep it in these files?

Agreed, let's not keep this one in files.


- Nate


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40670/#review107840
-----------------------------------------------------------


On Nov. 24, 2015, 3:55 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40670/
> -----------------------------------------------------------
> 
> (Updated Nov. 24, 2015, 3:55 p.m.)
> 
> 
> Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, and Nate Cole.
> 
> 
> Bugs: AMBARI-14044
>     https://issues.apache.org/jira/browse/AMBARI-14044
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> When using `api.authenticate=false`, REST requests to the Ambari APIs don't need to contain any user information. As a result, new code being placed which assumes an authenticated user will throw NPE exceptions:
> 
> ```
> // Ensure that the authenticated user has authorization to get this information
>       if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
>         throw new AuthorizationException();
>       }
> ```
> 
> ```
> java.lang.NullPointerException
> 	at org.apache.ambari.server.controller.internal.ActiveWidgetLayoutResourceProvider.getResources(ActiveWidgetLayoutResourceProvider.java:156)
> 	at org.apache.ambari.server.controller.internal.ClusterControllerImpl$ExtendedResourceProviderWrapper.queryForResources(ClusterControllerImpl.java:946)
> 	at org.apache.ambari.server.controller.internal.ClusterControllerImpl.getResources(ClusterControllerImpl.java:132)
> 	at org.apache.ambari.server.api.query.QueryImpl.doQuery(QueryImpl.java:512)
> 	at org.apache.ambari.server.api.query.QueryImpl.queryForResources(QueryImpl.java:381)
> 	at org.apache.ambari.server.api.query.QueryImpl.execute(QueryImpl.java:217)
> ```
> 
> Recommend changing this option to something like
> ```
> api.authenticated.user=admin
> ```
> 
> This will preserve the existing functionality while allowing the new code to continue to assume authenticated users.
> 
> 
> Diffs
> -----
> 
>   ambari-server/conf/unix/ambari.properties ed45ffe 
>   ambari-server/conf/windows/ambari.properties 570e904 
>   ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ee26264 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 56034d9 
>   ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java 7a2f7d2 
>   ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java f735a3c 
>   ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java d4ceb23 
>   ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java bac556e 
>   ambari-server/src/test/python/stacks/2.3/common/services-hawq-1-host.json 53b3e08 
>   ambari-server/src/test/python/stacks/2.3/common/services-hawq-3-hosts.json 53b3e08 
>   ambari-server/src/test/python/stacks/2.3/common/services-master_ambari_colo-3-hosts.json 876f577 
>   ambari-server/src/test/python/stacks/2.3/common/services-master_standby_colo-3-hosts.json f600e9b 
>   ambari-server/src/test/python/stacks/2.3/common/services-nohawq-3-hosts.json a5fc45d 
>   ambari-server/src/test/python/stacks/2.3/common/services-normal-hawq-3-hosts.json 9fab56d 
>   ambari-server/src/test/python/stacks/2.3/common/services-normal-nohawq-3-hosts.json aec23c8 
>   ambari-server/src/test/python/stacks/2.3/common/services-standby_ambari_colo-3-hosts.json ca0637c 
>   ambari-web/app/assets/data/services/ambari.json 0d54fc8 
>   contrib/ambari-scom/ambari-scom-server/conf/ambari.properties c734b71 
>   contrib/ambari-scom/ambari-scom-server/src/test/resources/ambari.properties 67dbf7f 
> 
> Diff: https://reviews.apache.org/r/40670/diff/
> 
> 
> Testing
> -------
> 
> Manually tested
> 
> # Local test results: PASSED
> 
> # Jenkins test result: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 40670: Change Anonymous API Authentication To A Declared User

Posted by Jonathan Hurley <jh...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40670/#review107840
-----------------------------------------------------------

Ship it!



ambari-server/conf/unix/ambari.properties (lines 114 - 115)
<https://reviews.apache.org/r/40670/#comment167167>

    I don't think anyone would normally use this aside from developers. Should we keep it in these files?


- Jonathan Hurley


On Nov. 24, 2015, 3:55 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40670/
> -----------------------------------------------------------
> 
> (Updated Nov. 24, 2015, 3:55 p.m.)
> 
> 
> Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, and Nate Cole.
> 
> 
> Bugs: AMBARI-14044
>     https://issues.apache.org/jira/browse/AMBARI-14044
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> When using `api.authenticate=false`, REST requests to the Ambari APIs don't need to contain any user information. As a result, new code being placed which assumes an authenticated user will throw NPE exceptions:
> 
> ```
> // Ensure that the authenticated user has authorization to get this information
>       if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
>         throw new AuthorizationException();
>       }
> ```
> 
> ```
> java.lang.NullPointerException
> 	at org.apache.ambari.server.controller.internal.ActiveWidgetLayoutResourceProvider.getResources(ActiveWidgetLayoutResourceProvider.java:156)
> 	at org.apache.ambari.server.controller.internal.ClusterControllerImpl$ExtendedResourceProviderWrapper.queryForResources(ClusterControllerImpl.java:946)
> 	at org.apache.ambari.server.controller.internal.ClusterControllerImpl.getResources(ClusterControllerImpl.java:132)
> 	at org.apache.ambari.server.api.query.QueryImpl.doQuery(QueryImpl.java:512)
> 	at org.apache.ambari.server.api.query.QueryImpl.queryForResources(QueryImpl.java:381)
> 	at org.apache.ambari.server.api.query.QueryImpl.execute(QueryImpl.java:217)
> ```
> 
> Recommend changing this option to something like
> ```
> api.authenticated.user=admin
> ```
> 
> This will preserve the existing functionality while allowing the new code to continue to assume authenticated users.
> 
> 
> Diffs
> -----
> 
>   ambari-server/conf/unix/ambari.properties ed45ffe 
>   ambari-server/conf/windows/ambari.properties 570e904 
>   ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ee26264 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 56034d9 
>   ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java 7a2f7d2 
>   ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java f735a3c 
>   ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java d4ceb23 
>   ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java bac556e 
>   ambari-server/src/test/python/stacks/2.3/common/services-hawq-1-host.json 53b3e08 
>   ambari-server/src/test/python/stacks/2.3/common/services-hawq-3-hosts.json 53b3e08 
>   ambari-server/src/test/python/stacks/2.3/common/services-master_ambari_colo-3-hosts.json 876f577 
>   ambari-server/src/test/python/stacks/2.3/common/services-master_standby_colo-3-hosts.json f600e9b 
>   ambari-server/src/test/python/stacks/2.3/common/services-nohawq-3-hosts.json a5fc45d 
>   ambari-server/src/test/python/stacks/2.3/common/services-normal-hawq-3-hosts.json 9fab56d 
>   ambari-server/src/test/python/stacks/2.3/common/services-normal-nohawq-3-hosts.json aec23c8 
>   ambari-server/src/test/python/stacks/2.3/common/services-standby_ambari_colo-3-hosts.json ca0637c 
>   ambari-web/app/assets/data/services/ambari.json 0d54fc8 
>   contrib/ambari-scom/ambari-scom-server/conf/ambari.properties c734b71 
>   contrib/ambari-scom/ambari-scom-server/src/test/resources/ambari.properties 67dbf7f 
> 
> Diff: https://reviews.apache.org/r/40670/diff/
> 
> 
> Testing
> -------
> 
> Manually tested
> 
> # Local test results: PASSED
> 
> # Jenkins test result: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 40670: Change Anonymous API Authentication To A Declared User

Posted by Nate Cole <nc...@hortonworks.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/40670/#review107843
-----------------------------------------------------------

Ship it!


Ship It!

- Nate Cole


On Nov. 24, 2015, 3:55 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/40670/
> -----------------------------------------------------------
> 
> (Updated Nov. 24, 2015, 3:55 p.m.)
> 
> 
> Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, and Nate Cole.
> 
> 
> Bugs: AMBARI-14044
>     https://issues.apache.org/jira/browse/AMBARI-14044
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> When using `api.authenticate=false`, REST requests to the Ambari APIs don't need to contain any user information. As a result, new code being placed which assumes an authenticated user will throw NPE exceptions:
> 
> ```
> // Ensure that the authenticated user has authorization to get this information
>       if (!isUserAdministrator && !AuthorizationHelper.getAuthenticatedName().equalsIgnoreCase(userName)) {
>         throw new AuthorizationException();
>       }
> ```
> 
> ```
> java.lang.NullPointerException
> 	at org.apache.ambari.server.controller.internal.ActiveWidgetLayoutResourceProvider.getResources(ActiveWidgetLayoutResourceProvider.java:156)
> 	at org.apache.ambari.server.controller.internal.ClusterControllerImpl$ExtendedResourceProviderWrapper.queryForResources(ClusterControllerImpl.java:946)
> 	at org.apache.ambari.server.controller.internal.ClusterControllerImpl.getResources(ClusterControllerImpl.java:132)
> 	at org.apache.ambari.server.api.query.QueryImpl.doQuery(QueryImpl.java:512)
> 	at org.apache.ambari.server.api.query.QueryImpl.queryForResources(QueryImpl.java:381)
> 	at org.apache.ambari.server.api.query.QueryImpl.execute(QueryImpl.java:217)
> ```
> 
> Recommend changing this option to something like
> ```
> api.authenticated.user=admin
> ```
> 
> This will preserve the existing functionality while allowing the new code to continue to assume authenticated users.
> 
> 
> Diffs
> -----
> 
>   ambari-server/conf/unix/ambari.properties ed45ffe 
>   ambari-server/conf/windows/ambari.properties 570e904 
>   ambari-server/src/main/java/org/apache/ambari/server/configuration/Configuration.java ee26264 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java 56034d9 
>   ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java 7a2f7d2 
>   ambari-server/src/main/java/org/apache/ambari/server/state/cluster/ClustersImpl.java f735a3c 
>   ambari-server/src/main/java/org/apache/ambari/server/view/ViewRegistry.java d4ceb23 
>   ambari-server/src/test/java/org/apache/ambari/server/view/ViewRegistryTest.java bac556e 
>   ambari-server/src/test/python/stacks/2.3/common/services-hawq-1-host.json 53b3e08 
>   ambari-server/src/test/python/stacks/2.3/common/services-hawq-3-hosts.json 53b3e08 
>   ambari-server/src/test/python/stacks/2.3/common/services-master_ambari_colo-3-hosts.json 876f577 
>   ambari-server/src/test/python/stacks/2.3/common/services-master_standby_colo-3-hosts.json f600e9b 
>   ambari-server/src/test/python/stacks/2.3/common/services-nohawq-3-hosts.json a5fc45d 
>   ambari-server/src/test/python/stacks/2.3/common/services-normal-hawq-3-hosts.json 9fab56d 
>   ambari-server/src/test/python/stacks/2.3/common/services-normal-nohawq-3-hosts.json aec23c8 
>   ambari-server/src/test/python/stacks/2.3/common/services-standby_ambari_colo-3-hosts.json ca0637c 
>   ambari-web/app/assets/data/services/ambari.json 0d54fc8 
>   contrib/ambari-scom/ambari-scom-server/conf/ambari.properties c734b71 
>   contrib/ambari-scom/ambari-scom-server/src/test/resources/ambari.properties 67dbf7f 
> 
> Diff: https://reviews.apache.org/r/40670/diff/
> 
> 
> Testing
> -------
> 
> Manually tested
> 
> # Local test results: PASSED
> 
> # Jenkins test result: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>