Details
-
Bug
-
Status: Resolved
-
Blocker
-
Resolution: Fixed
-
None
-
None
-
None
-
Aurora Q4 Sprint 1
Description
SchedulerThriftInterface.java contains the following:
private SessionContext validateSessionKeyForTasks( SessionKey session, Query.Builder taskQuery, Iterable<IScheduledTask> tasks) throws AuthFailedException { // Authenticate the session against any affected roles, always including the role for a // role-scoped query. This papers over the implementation detail that dormant cron jobs are // authenticated this way. ImmutableSet.Builder<String> targetRoles = ImmutableSet.<String>builder() .addAll(FluentIterable.from(tasks).transform(GET_ROLE)); if (taskQuery.get().isSetOwner()) { targetRoles.add(taskQuery.get().getOwner().getRole()); } return sessionValidator.checkAuthenticated(session, targetRoles.build()); }
Since the owner field is deprecated and a cron job may not have any tasks available this can pass an empty set into checkAuthenticated. We should also grab the role from the query.