Re: Review Request 55843: Trailing slash (/) on cluster resource causes incorrect authorization logic flow
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/55843/#review162639 --- Ship it! Ship It! - Attila Magyar On Jan. 23, 2017, 2:49 p.m., Robert Levas wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/55843/ > --- > > (Updated Jan. 23, 2017, 2:49 p.m.) > > > Review request for Ambari, Attila Magyar, Balázs Bence Sári, Eugene > Chekanskiy, Jonathan Hurley, and Laszlo Puskas. > > > Bugs: AMBARI-19670 > https://issues.apache.org/jira/browse/AMBARI-19670 > > > Repository: ambari > > > Description > --- > > Trailing slash (/) on cluster resource causes incorrect authorization logic > flow. It is debatable whether Ambari should allow this, but since it seems to > in other cases - like if the user was an Ambari Administrator - this should > be fixed. > > The problem occurs in the > `org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter` > where the filter attempts to figure out what the user is trying to get access > to. Since the regular expression for Cluster resources does acknowledge that > a trailing "/" after the cluster name indicates a cluster, the request does > not fall through to the Cluster resource handler > (`org.apache.ambari.server.controller.internal.ClusterResourceProvider`) for > authorization checks. It uses the legacy logic, which is a little flawed as > well. > > The fix for this is to allow the trailing "/" in the regular expression > representing Cluster requests: > # From > org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70 > ``` > private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + > "/clusters/(\w+)?"; > ``` > > # To > org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70} > ``` > private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + > "/clusters/(\w+/?)?"; > ``` > > > Diffs > - > > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java > 1faadb6 > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java > 0ab75c5 > > Diff: https://reviews.apache.org/r/55843/diff/ > > > Testing > --- > > Manually tested > > # Jenkins test reults: PENDING > > > Thanks, > > Robert Levas > >
Re: Review Request 55843: Trailing slash (/) on cluster resource causes incorrect authorization logic flow
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/55843/#review162634 --- Ship it! Ship It! - Jonathan Hurley On Jan. 23, 2017, 9:49 a.m., Robert Levas wrote: > > --- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/55843/ > --- > > (Updated Jan. 23, 2017, 9:49 a.m.) > > > Review request for Ambari, Attila Magyar, Balázs Bence Sári, Eugene > Chekanskiy, Jonathan Hurley, and Laszlo Puskas. > > > Bugs: AMBARI-19670 > https://issues.apache.org/jira/browse/AMBARI-19670 > > > Repository: ambari > > > Description > --- > > Trailing slash (/) on cluster resource causes incorrect authorization logic > flow. It is debatable whether Ambari should allow this, but since it seems to > in other cases - like if the user was an Ambari Administrator - this should > be fixed. > > The problem occurs in the > `org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter` > where the filter attempts to figure out what the user is trying to get access > to. Since the regular expression for Cluster resources does acknowledge that > a trailing "/" after the cluster name indicates a cluster, the request does > not fall through to the Cluster resource handler > (`org.apache.ambari.server.controller.internal.ClusterResourceProvider`) for > authorization checks. It uses the legacy logic, which is a little flawed as > well. > > The fix for this is to allow the trailing "/" in the regular expression > representing Cluster requests: > # From > org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70 > ``` > private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + > "/clusters/(\w+)?"; > ``` > > # To > org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70} > ``` > private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + > "/clusters/(\w+/?)?"; > ``` > > > Diffs > - > > > ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java > 1faadb6 > > ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java > 0ab75c5 > > Diff: https://reviews.apache.org/r/55843/diff/ > > > Testing > --- > > Manually tested > > # Jenkins test reults: PENDING > > > Thanks, > > Robert Levas > >
Review Request 55843: Trailing slash (/) on cluster resource causes incorrect authorization logic flow
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/55843/ --- Review request for Ambari, Attila Magyar, Eugene Chekanskiy, Jonathan Hurley, and Laszlo Puskas. Bugs: AMBARI-19670 https://issues.apache.org/jira/browse/AMBARI-19670 Repository: ambari Description --- Trailing slash (/) on cluster resource causes incorrect authorization logic flow. It is debatable whether Ambari should allow this, but since it seems to in other cases - like if the user was an Ambari Administrator - this should be fixed. The problem occurs in the `org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter` where the filter attempts to figure out what the user is trying to get access to. Since the regular expression for Cluster resources does acknowledge that a trailing "/" after the cluster name indicates a cluster, the request does not fall through to the Cluster resource handler (`org.apache.ambari.server.controller.internal.ClusterResourceProvider`) for authorization checks. It uses the legacy logic, which is a little flawed as well. The fix for this is to allow the trailing "/" in the regular expression representing Cluster requests: # From org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70 ``` private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\w+)?"; ``` # To org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70} ``` private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\w+/?)?"; ``` Diffs - ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java 1faadb6 ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java 0ab75c5 Diff: https://reviews.apache.org/r/55843/diff/ Testing --- Manually tested # Jenkins test reults: PENDING Thanks, Robert Levas
