You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@storm.apache.org by "Aaron Gresch (JIRA)" <ji...@apache.org> on 2018/10/11 16:22:00 UTC
[jira] [Updated] (STORM-3251) Using Logviewer Filter settings
causes anyone to access logs via log viewer REST API
[ https://issues.apache.org/jira/browse/STORM-3251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aaron Gresch updated STORM-3251:
--------------------------------
Description:
The rest API for logviewer access is checking if UI filter params is set to deny access to users. It's possible now to configure the logviewer without UI filter params, so this check is no longer sufficient and can allow anyone access to logs.
See ResourceAuthorizer line 68....
was:The rest API for logviewer access is checking if UI filter params is set to deny access to users. It's possible now to configure the logviewer without UI filter params, so this check is no longer sufficient and can allow anyone access to logs.
> Using Logviewer Filter settings causes anyone to access logs via log viewer REST API
> ------------------------------------------------------------------------------------
>
> Key: STORM-3251
> URL: https://issues.apache.org/jira/browse/STORM-3251
> Project: Apache Storm
> Issue Type: Bug
> Reporter: Aaron Gresch
> Assignee: Aaron Gresch
> Priority: Critical
>
> The rest API for logviewer access is checking if UI filter params is set to deny access to users. It's possible now to configure the logviewer without UI filter params, so this check is no longer sufficient and can allow anyone access to logs.
>
> See ResourceAuthorizer line 68....
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)