[
https://issues.apache.org/jira/browse/FALCON-466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14079399#comment-14079399
]
Venkatesh Seetharam commented on FALCON-466:
--------------------------------------------
[~bvellanki], I think this was not the intent of the jira. The solution you
have in the patch is already part of FALCON-464. The intent of this jira as the
summary says is to implicitly filter the entities for the authenticated user.
You could use one of the methods on the AuthorizationProvider to check if the
entity in question is indeed allowed to be viewed by the authenticated user.
The following APIs need to filter the entities in question before returning
them.
* api/entities/list -
org.apache.falcon.resource.AbstractEntityManager#getEntityList
Instance list is fine since the entity is question is already authorized.
Makes sense?
> REST APIs must add the entity owner as an implicit filter
> ---------------------------------------------------------
>
> Key: FALCON-466
> URL: https://issues.apache.org/jira/browse/FALCON-466
> Project: Falcon
> Issue Type: Sub-task
> Components: webapp
> Affects Versions: 0.6
> Reporter: Venkatesh Seetharam
> Assignee: Balu Vellanki
> Labels: authorization, security
> Fix For: 0.6
>
> Attachments: FALCON-466.patch
>
>
> Implement authorization for entity actions. Entity created by one user should
> not be updated/deleted by another user. Entity operations will only apply for
> the entities owned by that user.
> Entity and instance operations must add the authenticated user/owner as an
> implicit filter so the user operates on only his entities. For example: List
> will return entities belonging to the authenticated user, lifecycle
> operations such as delete/kill/suspend/resume/etc. are only applicable to the
> owner of the entity.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
