Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-3251

Using Logviewer Filter settings causes anyone to access logs via log viewer REST API

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0.0
    • Component/s: None

      Description

      The rest API for logviewer access is checking if UI filter params is set to deny access to users.  It's possible now to configure the logviewer without UI filter params, so this check is no longer sufficient and can allow anyone access to logs.

       

      See ResourceAuthorizer line 68....

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                agresch Aaron Gresch
                Reporter:
                agresch Aaron Gresch
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m