[STORM-3251] Using Logviewer Filter settings causes anyone to access logs via log viewer REST API - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.0.0
Component/s: None
Labels:
- pull-request-available

Description

The rest API for logviewer access is checking if UI filter params is set to deny access to users. It's possible now to configure the logviewer without UI filter params, so this check is no longer sufficient and can allow anyone access to logs.

See ResourceAuthorizer line 68....

Attachments

Issue Links

links to

GitHub Pull Request #2872

Activity

People

Assignee:: Aaron Gresch

Reporter:: Aaron Gresch

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 11/Oct/18 16:14

Updated:: 12/Oct/18 21:41

Resolved:: 12/Oct/18 21:41

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m