----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/55843/#review162639 -----------------------------------------------------------
Ship it! Ship It! - Attila Magyar On Jan. 23, 2017, 2:49 p.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/55843/ > ----------------------------------------------------------- > > (Updated Jan. 23, 2017, 2:49 p.m.) > > > Review request for Ambari, Attila Magyar, Balázs Bence Sári, Eugene > Chekanskiy, Jonathan Hurley, and Laszlo Puskas. > > > Bugs: AMBARI-19670 > https://issues.apache.org/jira/browse/AMBARI-19670 > > > Repository: ambari > > > Description > ------- > > Trailing slash (/) on cluster resource causes incorrect authorization logic > flow. It is debatable whether Ambari should allow this, but since it seems to > in other cases - like if the user was an Ambari Administrator - this should > be fixed. > > The problem occurs in the > `org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter` > where the filter attempts to figure out what the user is trying to get access > to. Since the regular expression for Cluster resources does acknowledge that > a trailing "/" after the cluster name indicates a cluster, the request does > not fall through to the Cluster resource handler > (`org.apache.ambari.server.controller.internal.ClusterResourceProvider`) for > authorization checks. It uses the legacy logic, which is a little flawed as > well. > > The fix for this is to allow the trailing "/" in the regular expression > representing Cluster requests: > # From > org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70 > ``` > private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + > "/clusters/(\w+)?"; > ``` > > # To > org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70} > ``` > private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + > "/clusters/(\w+/?)?"; > ``` > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java > 1faadb6 > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java > 0ab75c5 > > Diff: https://reviews.apache.org/r/55843/diff/ > > > Testing > ------- > > Manually tested > > # Jenkins test reults: PENDING > > > Thanks, > > Robert Levas > >