Details
-
Bug
-
Status: Resolved
-
Blocker
-
Resolution: Fixed
-
None
-
None
-
None
-
Aurora Q4 Sprint 1
Description
SchedulerThriftInterface.java contains the following:
private SessionContext validateSessionKeyForTasks(
SessionKey session,
Query.Builder taskQuery,
Iterable<IScheduledTask> tasks) throws AuthFailedException {
// Authenticate the session against any affected roles, always including the role for a
// role-scoped query. This papers over the implementation detail that dormant cron jobs are
// authenticated this way.
ImmutableSet.Builder<String> targetRoles = ImmutableSet.<String>builder()
.addAll(FluentIterable.from(tasks).transform(GET_ROLE));
if (taskQuery.get().isSetOwner()) {
targetRoles.add(taskQuery.get().getOwner().getRole());
}
return sessionValidator.checkAuthenticated(session, targetRoles.build());
}
Since the owner field is deprecated and a cron job may not have any tasks available this can pass an empty set into checkAuthenticated. We should also grab the role from the query.