[jira] [Updated] (AMBARI-19670) Trailing slash (/) on cluster resource causes incorrect authorization logic flow

Mon, 23 Jan 2017 06:42:28 -0800 

     [ 
https://issues.apache.org/jira/browse/AMBARI-19670?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Levas updated AMBARI-19670:
----------------------------------
    Status: Patch Available  (was: In Progress)

> Trailing slash (/) on cluster resource causes incorrect authorization logic 
> flow
> --------------------------------------------------------------------------------
>
>                 Key: AMBARI-19670
>                 URL: https://issues.apache.org/jira/browse/AMBARI-19670
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.4.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: rbac
>             Fix For: 2.5.0
>
>         Attachments: AMBARI-19670_trunk_01.patch
>
>
> Trailing slash (/) on cluster resource causes incorrect authorization logic 
> flow. It is debatable whether Ambari should allow this, but since it seems to 
> in other cases - like if the user was an Ambari Administrator - this should 
> be fixed. 
> The problem occurs in the 
> {{org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter}} 
> where the filter attempts to figure out what the user is trying to get access 
> to.  Since the regular expression for Cluster resources does acknowledge that 
> a trailing "/" after the cluster name indicates a cluster, the request does 
> not fall through to the Cluster resource handler 
> ({{org.apache.ambari.server.controller.internal.ClusterResourceProvider}}) 
> for authorization checks.  It uses the legacy logic, which is a little flawed 
> as well.
> The fix for this is to allow the trailing "/" in the regular expression 
> representing Cluster requests:
> {code:title=From 
> org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70}
>   private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + 
> "/clusters/(\\w+)?";
> {code}
> {code:title=To 
> org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70}
>   private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + 
> "/clusters/(\\w+/?)?";
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to