Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-19670

Trailing slash (/) on cluster resource causes incorrect authorization logic flow

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.4.0
    • 2.5.0
    • ambari-server

    Description

      Trailing slash on cluster resource causes incorrect authorization logic flow. It is debatable whether Ambari should allow this, but since it seems to in other cases - like if the user was an Ambari Administrator - this should be fixed.

      The problem occurs in the org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter where the filter attempts to figure out what the user is trying to get access to. Since the regular expression for Cluster resources does acknowledge that a trailing "/" after the cluster name indicates a cluster, the request does not fall through to the Cluster resource handler (org.apache.ambari.server.controller.internal.ClusterResourceProvider) for authorization checks. It uses the legacy logic, which is a little flawed as well.

      The fix for this is to allow the trailing "/" in the regular expression representing Cluster requests:

      From org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70
        private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\\w+)?";
      
      To org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70
        private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\\w+/?)?";
      

      Attachments

        1. AMBARI-19670_branch-2.5_01.patch
          5 kB
          Robert Levas
        2. AMBARI-19670_trunk_01.patch
          5 kB
          Robert Levas

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            rlevas Robert Levas
            rlevas Robert Levas
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Issue deployment