[AMBARI-19670] Trailing slash (/) on cluster resource causes incorrect authorization logic flow - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.4.0
Fix Version/s: 2.5.0
Component/s: ambari-server
Labels:
- rbac

Description

Trailing slash on cluster resource causes incorrect authorization logic flow. It is debatable whether Ambari should allow this, but since it seems to in other cases - like if the user was an Ambari Administrator - this should be fixed.

The problem occurs in the org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter where the filter attempts to figure out what the user is trying to get access to. Since the regular expression for Cluster resources does acknowledge that a trailing "/" after the cluster name indicates a cluster, the request does not fall through to the Cluster resource handler (org.apache.ambari.server.controller.internal.ClusterResourceProvider) for authorization checks. It uses the legacy logic, which is a little flawed as well.

The fix for this is to allow the trailing "/" in the regular expression representing Cluster requests:

From org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70

  private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\\w+)?";

To org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70

  private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\\w+/?)?";

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

AMBARI-19670_branch-2.5_01.patch
23/Jan/17 14:41
5 kB
Robert Levas
AMBARI-19670_trunk_01.patch
23/Jan/17 14:40
5 kB
Robert Levas

Issue Links

links to

ReviewBoard

Activity

People

Assignee:: Robert Levas

Reporter:: Robert Levas

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 23/Jan/17 10:10

Updated:: 23/Jan/17 19:45

Resolved:: 23/Jan/17 16:38