You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ambari.apache.org by mp...@apache.org on 2014/09/26 18:49:21 UTC

[1/2] git commit: AMBARI-7344. CSRF Prevention is broken for the /proxy endpoint. (mpapirkovskyy)

Repository: ambari
Updated Branches:
  refs/heads/trunk 20f112acd -> b098be07b


AMBARI-7344. CSRF Prevention is broken for the /proxy endpoint. (mpapirkovskyy)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/94bda467
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/94bda467
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/94bda467

Branch: refs/heads/trunk
Commit: 94bda467597a55e75bda1e1469ec969dc7d5e5dc
Parents: 20f112a
Author: Myroslav Papirkovskyy <mp...@hortonworks.com>
Authored: Wed Sep 17 21:19:12 2014 +0300
Committer: Myroslav Papirkovskyy <mp...@hortonworks.com>
Committed: Fri Sep 26 19:34:55 2014 +0300

----------------------------------------------------------------------
 .../java/org/apache/ambari/server/controller/AmbariServer.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/94bda467/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
index e109f7e..a8cf891 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariServer.java
@@ -380,7 +380,7 @@ public class AmbariServer {
         sh.setInitParameter("com.sun.jersey.spi.container.ContainerRequestFilters",
                     "org.apache.ambari.server.api.AmbariCsrfProtectionFilter");
         proxy.setInitParameter("com.sun.jersey.spi.container.ContainerRequestFilters",
-                    "com.sun.jersey.api.container.filter.AmbariCsrfProtectionFilter");
+                    "org.apache.ambari.server.api.AmbariCsrfProtectionFilter");
       }
 
       //Set jetty thread pool

[2/2] git commit: AMBARI-7329. Error updating configs with OPERATOR user. (mpapirkovskyy)

Posted by mp...@apache.org.

AMBARI-7329. Error updating configs with OPERATOR user. (mpapirkovskyy)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/b098be07
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/b098be07
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/b098be07

Branch: refs/heads/trunk
Commit: b098be07ba5a2e7beecc6f70324ae0ff6e38fe3c
Parents: 94bda46
Author: Myroslav Papirkovskyy <mp...@hortonworks.com>
Authored: Fri Sep 26 19:49:00 2014 +0300
Committer: Myroslav Papirkovskyy <mp...@hortonworks.com>
Committed: Fri Sep 26 19:49:00 2014 +0300

----------------------------------------------------------------------
 .../security/authorization/AmbariAuthorizationFilter.java   | 9 +++++++++
 1 file changed, 9 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/b098be07/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
index aae967d..658fc80 100644
--- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
+++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
@@ -19,6 +19,7 @@
 package org.apache.ambari.server.security.authorization;
 
 import java.io.IOException;
+import java.util.regex.Pattern;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -47,6 +48,8 @@ public class AmbariAuthorizationFilter implements Filter {
 
   private static final String INTERNAL_TOKEN_HEADER = "X-Internal-Token";
 
+  private static final Pattern STACK_ADVISOR_REGEX = Pattern.compile("/api/v[0-9]+/stacks/[^/]+/versions/[^/]+/validations.*");
+
   /**
    * The realm to use for the basic http auth
    */
@@ -96,6 +99,12 @@ public class AmbariAuthorizationFilter implements Filter {
               authorized = true;
               break;
             }
+          } else if (STACK_ADVISOR_REGEX.matcher(requestURI).matches()) {
+            //TODO permissions model doesn't manage stacks api, but we need access to stack advisor to save configs
+            if (permissionId.equals(PermissionEntity.CLUSTER_OPERATE_PERMISSION)) {
+              authorized = true;
+              break;
+            }
           } else if (requestURI.matches("/api/v[0-9]+/views.*")) {
             // views require permission
             if (permissionId.equals(PermissionEntity.VIEW_USE_PERMISSION)) {