[jira] [Updated] (STORM-3251) Using Logviewer Filter settings causes anyone to access logs via log viewer REST API

ASF GitHub Bot (JIRA) Thu, 11 Oct 2018 11:22:08 -0700


     [ 
https://issues.apache.org/jira/browse/STORM-3251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


ASF GitHub Bot updated STORM-3251:
----------------------------------
    Labels: pull-request-available  (was: )

> Using Logviewer Filter settings causes anyone to access logs via log viewer 
> REST API
> ------------------------------------------------------------------------------------
>
>                 Key: STORM-3251
>                 URL: https://issues.apache.org/jira/browse/STORM-3251
>             Project: Apache Storm
>          Issue Type: Bug
>            Reporter: Aaron Gresch
>            Assignee: Aaron Gresch
>            Priority: Critical
>              Labels: pull-request-available
>
> The rest API for logviewer access is checking if UI filter params is set to 
> deny access to users.  It's possible now to configure the logviewer without 
> UI filter params, so this check is no longer sufficient and can allow anyone 
> access to logs.
>  
> See ResourceAuthorizer line 68....



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Updated] (STORM-3251) Using Logviewer Filter settings causes anyone to access logs via log viewer REST API

Reply via email to