This is an automated email from the ASF dual-hosted git repository.
mgreber pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/master by this push:
new 9e661cb34 [webserver] Add 403 Forbidden HTTP status code
9e661cb34 is described below
commit 9e661cb34ab025456e51241085ea90a93b1ccee1
Author: gabriellalotz <[email protected]>
AuthorDate: Thu Apr 24 12:02:15 2025 +0000
[webserver] Add 403 Forbidden HTTP status code
Introduce support for the 403 Forbidden response code to improve error
handling in the REST API. The status code was integrated into the
webserver and applied to relevant REST catalog path handlers to ensure
proper authorization feedback.
Change-Id: I5c3e1b89c7a673b7de0567958ba23beb57d7f2db
Reviewed-on: http://gerrit.cloudera.org:8080/22810
Reviewed-by: Zoltan Chovan <[email protected]>
Tested-by: Marton Greber <[email protected]>
Reviewed-by: Marton Greber <[email protected]>
---
src/kudu/master/rest_catalog_path_handlers.cc | 7 +++++++
src/kudu/server/webserver.cc | 2 ++
src/kudu/util/web_callback_registry.h | 1 +
3 files changed, 10 insertions(+)
diff --git a/src/kudu/master/rest_catalog_path_handlers.cc
b/src/kudu/master/rest_catalog_path_handlers.cc
index 8ae1f3e25..d013c41b2 100644
--- a/src/kudu/master/rest_catalog_path_handlers.cc
+++ b/src/kudu/master/rest_catalog_path_handlers.cc
@@ -94,6 +94,13 @@ static bool CheckIsInitializedAndIsLeader(JsonWriter& jw,
// NOLINT JsonWriter
static HttpStatusCode GetHttpCodeFromStatus(const Status& status) {
DCHECK(!status.ok());
+ // After SPNEGO authentication, the server assumes the caller is known and
authenticated.
+ // A NotAuthorized status at this point indicates the user is authenticated
but lacks permission,
+ // which semantically maps better to HTTP 403 Forbidden than 401
Unauthorized.
+ // See:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status#client_error_responses
+ if (status.IsNotAuthorized()) {
+ return HttpStatusCode::Forbidden;
+ }
if (status.IsInvalidArgument() || status.IsAlreadyPresent()) {
return HttpStatusCode::BadRequest;
}
diff --git a/src/kudu/server/webserver.cc b/src/kudu/server/webserver.cc
index eff78ad85..f247f1439 100644
--- a/src/kudu/server/webserver.cc
+++ b/src/kudu/server/webserver.cc
@@ -163,6 +163,8 @@ string HttpStatusCodeToString(kudu::HttpStatusCode code) {
return "400 Bad Request";
case kudu::HttpStatusCode::AuthenticationRequired:
return "401 Authentication Required";
+ case kudu::HttpStatusCode::Forbidden:
+ return "403 Forbidden";
case kudu::HttpStatusCode::NotFound:
return "404 Not Found";
case kudu::HttpStatusCode::MethodNotAllowed:
diff --git a/src/kudu/util/web_callback_registry.h
b/src/kudu/util/web_callback_registry.h
index 4d354cea2..83117f684 100644
--- a/src/kudu/util/web_callback_registry.h
+++ b/src/kudu/util/web_callback_registry.h
@@ -32,6 +32,7 @@ enum class HttpStatusCode {
TemporaryRedirect, //307
BadRequest, // 400
AuthenticationRequired, // 401
+ Forbidden, // 403
NotFound, // 404
MethodNotAllowed, // 405
LengthRequired, // 411
