[
https://issues.apache.org/jira/browse/STORM-3251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aaron Gresch updated STORM-3251:
--------------------------------
Description:
The rest API for logviewer access is checking if UI filter params is set to
deny access to users. It's possible now to configure the logviewer without UI
filter params, so this check is no longer sufficient and can allow anyone
access to logs.
See ResourceAuthorizer line 68....
was:The rest API for logviewer access is checking if UI filter params is set
to deny access to users. It's possible now to configure the logviewer without
UI filter params, so this check is no longer sufficient and can allow anyone
access to logs.
> Using Logviewer Filter settings causes anyone to access logs via log viewer
> REST API
> ------------------------------------------------------------------------------------
>
> Key: STORM-3251
> URL: https://issues.apache.org/jira/browse/STORM-3251
> Project: Apache Storm
> Issue Type: Bug
> Reporter: Aaron Gresch
> Assignee: Aaron Gresch
> Priority: Critical
>
> The rest API for logviewer access is checking if UI filter params is set to
> deny access to users. It's possible now to configure the logviewer without
> UI filter params, so this check is no longer sufficient and can allow anyone
> access to logs.
>
> See ResourceAuthorizer line 68....
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
