Uploaded image for project: 'Ambari (Retired)'
  1. Ambari (Retired)
  2. AMBARI-19670

Trailing slash (/) on cluster resource causes incorrect authorization logic flow

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.4.0
    • 2.5.0
    • ambari-server

    Description

      Trailing slash on cluster resource causes incorrect authorization logic flow. It is debatable whether Ambari should allow this, but since it seems to in other cases - like if the user was an Ambari Administrator - this should be fixed.

      The problem occurs in the org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter where the filter attempts to figure out what the user is trying to get access to. Since the regular expression for Cluster resources does acknowledge that a trailing "/" after the cluster name indicates a cluster, the request does not fall through to the Cluster resource handler (org.apache.ambari.server.controller.internal.ClusterResourceProvider) for authorization checks. It uses the legacy logic, which is a little flawed as well.

      The fix for this is to allow the trailing "/" in the regular expression representing Cluster requests:

      From org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70
        private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\\w+)?";
      
      To org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java:70
        private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\\w+/?)?";
      

      Attachments

        1. AMBARI-19670_branch-2.5_01.patch
          5 kB
          Robert Levas
        2. AMBARI-19670_trunk_01.patch
          5 kB
          Robert Levas

        Issue Links

          Activity

            People

              rlevas Robert Levas
              rlevas Robert Levas
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: