Re: Review Request 50101: Cluster user role is permitted to install packages using API

2016-07-18 Thread Jonathan Hurley 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/50101/#review142686
---


Ship it!




Ship It!

- Jonathan Hurley


On July 15, 2016, 8:31 p.m., Robert Levas wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/50101/
> ---
> 
> (Updated July 15, 2016, 8:31 p.m.)
> 
> 
> Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Nate Cole, 
> and Vitalyi Brodetskyi.
> 
> 
> Bugs: AMBARI-17740
> https://issues.apache.org/jira/browse/AMBARI-17740
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> With "Cluster User" role, submitting "install packages" API call goes 
> through, even though it should be blocked
> 
> ```
> #curl -u cu:1234 -H "X-Requested-By: ambari" -i -X  POST 
> http://ambari-server:8080/api/v1/clusters/cl1/stack_versions -d 
> '{"ClusterStackVersions":{"stack":"HDP","version":"2.3","repository_version":"2.3.0.0"}}'
> HTTP/1.1 202 Accepted
> Date: Wed, 29 Jun 2016 05:55:16 GMT
> X-Frame-Options: DENY
> X-XSS-Protection: 1; mode=block
> Set-Cookie: AMBARISESSIONID=11njwu8py6m511511liub068vj;Path=/;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> User: cu
> Content-Type: text/plain
> Vary: Accept-Encoding, User-Agent
> Content-Length: 136
> Server: Jetty(9.2.11.v20150529)
> 
> {
>   "href" : "http://ambari-server:8080/api/v1/clusters/cl1/requests/36;,
>   "Requests" : {
> "id" : 36,
> "status" : "Accepted"
>   }
> }
> ```
> 
> Role of the user "cu"
> ```
> {
>   "href" : "http://ambari-server:8080/api/v1/users/cu/privileges/7;,
>   "PrivilegeInfo" : {
> "cluster_name" : "cl1",
> "permission_label" : "Cluster User",
> "permission_name" : "CLUSTER.USER",
> "principal_name" : "cu",
> "principal_type" : "USER",
> "privilege_id" : 7,
> "type" : "CLUSTER",
> "user_name" : "cu"
>   }
> }
> ```
> 
> # Solution
> Protect access to this API by allowing only users with the 
> `AMBARI.MANAGE_STACK_VERSIONS` authorization to create, update, and delete 
> stack versions.
> 
> 
> Diffs
> -
> 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterStackVersionResourceProvider.java
>  c11cd81 
>   
> ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterStackVersionResourceProviderTest.java
>  a438edb 
> 
> Diff: https://reviews.apache.org/r/50101/diff/
> 
> 
> Testing
> ---
> 
> Manually tested
> 
> # Local test results: 
> [INFO] 
> 
> [INFO] BUILD SUCCESS
> [INFO] 
> 
> [INFO] Total time: 1:12:52.071s
> [INFO] Finished at: Fri Jul 15 19:27:40 EDT 2016
> [INFO] Final Memory: 62M/1889M
> [INFO] 
> 
> 
> # Jenkins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Re: Review Request 50101: Cluster user role is permitted to install packages using API

2016-07-18 Thread Nate Cole 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/50101/#review142585
---


Ship it!




Ship It!

- Nate Cole


On July 15, 2016, 8:31 p.m., Robert Levas wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/50101/
> ---
> 
> (Updated July 15, 2016, 8:31 p.m.)
> 
> 
> Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Nate Cole, 
> and Vitalyi Brodetskyi.
> 
> 
> Bugs: AMBARI-17740
> https://issues.apache.org/jira/browse/AMBARI-17740
> 
> 
> Repository: ambari
> 
> 
> Description
> ---
> 
> With "Cluster User" role, submitting "install packages" API call goes 
> through, even though it should be blocked
> 
> ```
> #curl -u cu:1234 -H "X-Requested-By: ambari" -i -X  POST 
> http://ambari-server:8080/api/v1/clusters/cl1/stack_versions -d 
> '{"ClusterStackVersions":{"stack":"HDP","version":"2.3","repository_version":"2.3.0.0"}}'
> HTTP/1.1 202 Accepted
> Date: Wed, 29 Jun 2016 05:55:16 GMT
> X-Frame-Options: DENY
> X-XSS-Protection: 1; mode=block
> Set-Cookie: AMBARISESSIONID=11njwu8py6m511511liub068vj;Path=/;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> User: cu
> Content-Type: text/plain
> Vary: Accept-Encoding, User-Agent
> Content-Length: 136
> Server: Jetty(9.2.11.v20150529)
> 
> {
>   "href" : "http://ambari-server:8080/api/v1/clusters/cl1/requests/36;,
>   "Requests" : {
> "id" : 36,
> "status" : "Accepted"
>   }
> }
> ```
> 
> Role of the user "cu"
> ```
> {
>   "href" : "http://ambari-server:8080/api/v1/users/cu/privileges/7;,
>   "PrivilegeInfo" : {
> "cluster_name" : "cl1",
> "permission_label" : "Cluster User",
> "permission_name" : "CLUSTER.USER",
> "principal_name" : "cu",
> "principal_type" : "USER",
> "privilege_id" : 7,
> "type" : "CLUSTER",
> "user_name" : "cu"
>   }
> }
> ```
> 
> # Solution
> Protect access to this API by allowing only users with the 
> `AMBARI.MANAGE_STACK_VERSIONS` authorization to create, update, and delete 
> stack versions.
> 
> 
> Diffs
> -
> 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterStackVersionResourceProvider.java
>  c11cd81 
>   
> ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterStackVersionResourceProviderTest.java
>  a438edb 
> 
> Diff: https://reviews.apache.org/r/50101/diff/
> 
> 
> Testing
> ---
> 
> Manually tested
> 
> # Local test results: 
> [INFO] 
> 
> [INFO] BUILD SUCCESS
> [INFO] 
> 
> [INFO] Total time: 1:12:52.071s
> [INFO] Finished at: Fri Jul 15 19:27:40 EDT 2016
> [INFO] Final Memory: 62M/1889M
> [INFO] 
> 
> 
> # Jenkins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>

Review Request 50101: Cluster user role is permitted to install packages using API

2016-07-15 Thread Robert Levas 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/50101/
---

Review request for Ambari, Jonathan Hurley, Myroslav Papirkovskyy, Nate Cole, 
and Vitalyi Brodetskyi.


Bugs: AMBARI-17740
https://issues.apache.org/jira/browse/AMBARI-17740


Repository: ambari


Description
---

With "Cluster User" role, submitting "install packages" API call goes through, 
even though it should be blocked

```
#curl -u cu:1234 -H "X-Requested-By: ambari" -i -X  POST 
http://ambari-server:8080/api/v1/clusters/cl1/stack_versions -d 
'{"ClusterStackVersions":{"stack":"HDP","version":"2.3","repository_version":"2.3.0.0"}}'
HTTP/1.1 202 Accepted
Date: Wed, 29 Jun 2016 05:55:16 GMT
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Set-Cookie: AMBARISESSIONID=11njwu8py6m511511liub068vj;Path=/;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
User: cu
Content-Type: text/plain
Vary: Accept-Encoding, User-Agent
Content-Length: 136
Server: Jetty(9.2.11.v20150529)

{
  "href" : "http://ambari-server:8080/api/v1/clusters/cl1/requests/36;,
  "Requests" : {
"id" : 36,
"status" : "Accepted"
  }
}
```

Role of the user "cu"
```
{
  "href" : "http://ambari-server:8080/api/v1/users/cu/privileges/7;,
  "PrivilegeInfo" : {
"cluster_name" : "cl1",
"permission_label" : "Cluster User",
"permission_name" : "CLUSTER.USER",
"principal_name" : "cu",
"principal_type" : "USER",
"privilege_id" : 7,
"type" : "CLUSTER",
"user_name" : "cu"
  }
}
```

# Solution
Protect access to this API by allowing only users with the 
`AMBARI.MANAGE_STACK_VERSIONS` authorization to create, update, and delete 
stack versions.


Diffs
-

  
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ClusterStackVersionResourceProvider.java
 c11cd81 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ClusterStackVersionResourceProviderTest.java
 a438edb 

Diff: https://reviews.apache.org/r/50101/diff/


Testing
---

Manually tested

# Local test results: 
[INFO] 
[INFO] BUILD SUCCESS
[INFO] 
[INFO] Total time: 1:12:52.071s
[INFO] Finished at: Fri Jul 15 19:27:40 EDT 2016
[INFO] Final Memory: 62M/1889M
[INFO] 

# Jenkins test results: PENDING


Thanks,

Robert Levas