[
https://issues.apache.org/jira/browse/AURORA-837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zameer Manji updated AURORA-837:
--------------------------------
Priority: Blocker (was: Major)
> validateSessionKeyForTasks can pass empty set of roles to checkAuthenticated
> ----------------------------------------------------------------------------
>
> Key: AURORA-837
> URL: https://issues.apache.org/jira/browse/AURORA-837
> Project: Aurora
> Issue Type: Bug
> Reporter: Zameer Manji
> Priority: Blocker
>
> SchedulerThriftInterface.java contains the following:
> {noformat}
> private SessionContext validateSessionKeyForTasks(
> SessionKey session,
> Query.Builder taskQuery,
> Iterable<IScheduledTask> tasks) throws AuthFailedException {
> // Authenticate the session against any affected roles, always including
> the role for a
> // role-scoped query. This papers over the implementation detail that
> dormant cron jobs are
> // authenticated this way.
> ImmutableSet.Builder<String> targetRoles = ImmutableSet.<String>builder()
> .addAll(FluentIterable.from(tasks).transform(GET_ROLE));
> if (taskQuery.get().isSetOwner()) {
> targetRoles.add(taskQuery.get().getOwner().getRole());
> }
> return sessionValidator.checkAuthenticated(session, targetRoles.build());
> }
> {noformat}
> Since the owner field is deprecated and a cron job may not have any tasks
> available this can pass an empty set into {{checkAuthenticated}}. We should
> also grab the role from the query.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
