----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/50101/#review142686 -----------------------------------------------------------
Ship it! Ship It! - Jonathan Hurley On July 15, 2016, 8:31 p.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/50101/ > ----------------------------------------------------------- > > (Updated July 15, 2016, 8:31 p.m.) > > > Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Nate Cole, > and Vitalyi Brodetskyi. > > > Bugs: AMBARI-17740 > https://issues.apache.org/jira/browse/AMBARI-17740 > > > Repository: ambari > > > Description > ------- > > With "Cluster User" role, submitting "install packages" API call goes > through, even though it should be blocked > > ``` > #curl -u cu:1234 -H "X-Requested-By: ambari" -i -X POST > http://ambari-server:8080/api/v1/clusters/cl1/stack_versions -d > '{"ClusterStackVersions":{"stack":"HDP","version":"2.3","repository_version":"2.3.0.0"}}' > HTTP/1.1 202 Accepted > Date: Wed, 29 Jun 2016 05:55:16 GMT > X-Frame-Options: DENY > X-XSS-Protection: 1; mode=block > Set-Cookie: AMBARISESSIONID=11njwu8py6m511511liub068vj;Path=/;HttpOnly > Expires: Thu, 01 Jan 1970 00:00:00 GMT > User: cu > Content-Type: text/plain > Vary: Accept-Encoding, User-Agent > Content-Length: 136 > Server: Jetty(9.2.11.v20150529) > > { > "href" : "http://ambari-server:8080/api/v1/clusters/cl1/requests/36", > "Requests" : { > "id" : 36, > "status" : "Accepted" > } > } > ``` > > Role of the user "cu" > ``` > { > "href" : "http://ambari-server:8080/api/v1/users/cu/privileges/7", > "PrivilegeInfo" : { > "cluster_name" : "cl1", > "permission_label" : "Cluster User", > "permission_name" : "CLUSTER.USER", > "principal_name" : "cu", > "principal_type" : "USER", > "privilege_id" : 7, > "type" : "CLUSTER", > "user_name" : "cu" > } > } > ``` > > # Solution > Protect access to this API by allowing only users with the > `AMBARI.MANAGE_STACK_VERSIONS` authorization to create, update, and delete > stack versions. > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterStackVersionResourceProvider.java > c11cd81 > > ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterStackVersionResourceProviderTest.java > a438edb > > Diff: https://reviews.apache.org/r/50101/diff/ > > > Testing > ------- > > Manually tested > > # Local test results: > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD SUCCESS > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 1:12:52.071s > [INFO] Finished at: Fri Jul 15 19:27:40 EDT 2016 > [INFO] Final Memory: 62M/1889M > [INFO] > ------------------------------------------------------------------------ > > # Jenkins test results: PENDING > > > Thanks, > > Robert Levas > >