Robert Levas created AMBARI-19670:
-------------------------------------
Summary: Trailing slash (/) on cluster resource causes incorrect
authorization logic flow
Key: AMBARI-19670
URL: https://issues.apache.org/jira/browse/AMBARI-19670
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.4.0
Reporter: Robert Levas
Assignee: Robert Levas
Fix For: 2.5.0
Trailing slash (/) on cluster resource causes incorrect authorization logic
flow. It is debatable whether Ambari should allow this, but since it seems to
in other cases - like if the user was an Ambari Administrator - this should be
fixed.
The problem occurs in the
{{org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter}}
where the filter attempts to figure out what the user is trying to get access
to. Since the regular expression for Cluster resources does acknowledge that a
trailing "/" after the cluster name indicates a cluster, the request does not
fall through to the Cluster resource handler
({{org.apache.ambari.server.controller.internal.ClusterResourceProvider}}) for
authorization checks. It uses the legacy logic, which is a little flawed as
well.
The fix for this is to allow the trailing "/" in the regular expression
representing Cluster requests:
{code:title=From
org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70}
private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX +
"/clusters/(\\w+)?";
{code}
{code:title=To
org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70}
private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX +
"/clusters/(\\w+/?)?";
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
