[GitHub] [dolphinscheduler] rickchengx commented on pull request #12917: [Fix-12916] Add permission check when query or download log

Sun, 20 Nov 2022 18:22:17 -0800 


rickchengx commented on PR #12917:
URL: 
https://github.com/apache/dolphinscheduler/pull/12917#issuecomment-1321363449

   > > I dont't think it's a bug. It need to be disscussed. cc @ruanwenjun 
@caishunfeng @EricGao888 @zhongjiajie
   > 
   > I agree with @rickchengx, users may make bad log decisions which will lead 
to security issue, so there's a strong need to for this permission check. In 
addition, i suggest to add request to apply for temporary permission to query 
and download logs for users who don't have permission, and this application can 
be approved by administrator.
   
   Hi, @Radeity Thanks for your comment.
   
   I agree that permission check is required when user query or download task 
logs.
   
   ### Can admin authorize the log permission to the user in this PR?
   
   Currently, admin can authorize users for the following resources: (E.g., 
project / resource / ....)
   
   <img width="383" alt="截屏2022-11-21 10 08 43" 
src="https://user-images.githubusercontent.com/38122586/202945913-b95d6767-a9ba-41f2-8190-d19a9136c158.png";>
   
   And in the design of this PR:
   Only **users with project permissions** to which the task instance belongs 
can query or download the logs of that task instance.
   
   **Because I think the log of the task can be viewed only if the user can 
view the task.**
   
   So in this PR, admin can authorize the log permission to the user by 
authorize users for the `project` resource.
   
   
   
   As for what you said, whether the administrator can individually add the log 
permission of a certain task instance to the user, I think it can be discussed 
and done after solving this security problem.
   
   WDYT
   
   cc @SbloodyS 
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to