Re: Review Request 55843: Trailing slash (/) on cluster resource causes incorrect authorization logic flow

Mon, 23 Jan 2017 07:37:35 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55843/#review162639
-----------------------------------------------------------


Ship it!




Ship It!

- Attila Magyar


On Jan. 23, 2017, 2:49 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55843/
> -----------------------------------------------------------
> 
> (Updated Jan. 23, 2017, 2:49 p.m.)
> 
> 
> Review request for Ambari, Attila Magyar, Balázs Bence Sári, Eugene 
> Chekanskiy, Jonathan Hurley, and Laszlo Puskas.
> 
> 
> Bugs: AMBARI-19670
>     https://issues.apache.org/jira/browse/AMBARI-19670
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> Trailing slash (/) on cluster resource causes incorrect authorization logic 
> flow. It is debatable whether Ambari should allow this, but since it seems to 
> in other cases - like if the user was an Ambari Administrator - this should 
> be fixed. 
> 
> The problem occurs in the 
> `org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter` 
> where the filter attempts to figure out what the user is trying to get access 
> to.  Since the regular expression for Cluster resources does acknowledge that 
> a trailing "/" after the cluster name indicates a cluster, the request does 
> not fall through to the Cluster resource handler 
> (`org.apache.ambari.server.controller.internal.ClusterResourceProvider`) for 
> authorization checks.  It uses the legacy logic, which is a little flawed as 
> well.
> 
> The fix for this is to allow the trailing "/" in the regular expression 
> representing Cluster requests:
> # From 
> org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70
> ```
>   private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + 
> "/clusters/(\w+)?";
> ```
> 
> # To 
> org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70}
> ```
> private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + 
> "/clusters/(\w+/?)?";
> ```
> 
> 
> Diffs
> -----
> 
>   
> ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java
>  1faadb6 
>   
> ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java
>  0ab75c5 
> 
> Diff: https://reviews.apache.org/r/55843/diff/
> 
> 
> Testing
> -------
> 
> Manually tested
> 
> # Jenkins test reults: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Reply via email to