Zameer Manji created AURORA-837:
-----------------------------------
Summary: validateSessionKeyForTasks can pass empty set of roles to
checkAuthenticated
Key: AURORA-837
URL: https://issues.apache.org/jira/browse/AURORA-837
Project: Aurora
Issue Type: Bug
Reporter: Zameer Manji
SchedulerThriftInterface.java contains the following:
{noformat}
private SessionContext validateSessionKeyForTasks(
SessionKey session,
Query.Builder taskQuery,
Iterable<IScheduledTask> tasks) throws AuthFailedException {
// Authenticate the session against any affected roles, always including
the role for a
// role-scoped query. This papers over the implementation detail that
dormant cron jobs are
// authenticated this way.
ImmutableSet.Builder<String> targetRoles = ImmutableSet.<String>builder()
.addAll(FluentIterable.from(tasks).transform(GET_ROLE));
if (taskQuery.get().isSetOwner()) {
targetRoles.add(taskQuery.get().getOwner().getRole());
}
return sessionValidator.checkAuthenticated(session, targetRoles.build());
}
{noformat}
Since the owner field is deprecated and a cron job may not have any tasks
available this can pass an empty set into {{checkAuthenticated}}. We should
also grab the role from the query.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
