[accumulo] branch main updated: Add missing permission checks to Manager Thrift API (#2989)

Fri, 30 Sep 2022 10:07:15 -0700 

This is an automated email from the ASF dual-hosted git repository.

dlmarion pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/accumulo.git


The following commit(s) were added to refs/heads/main by this push:
     new 1efbcaa1b9 Add missing permission checks to Manager Thrift API (#2989)
1efbcaa1b9 is described below

commit 1efbcaa1b9eb594962c502304d0bc7fcb937e269
Author: Dave Marion <dlmar...@apache.org>
AuthorDate: Fri Sep 30 13:05:50 2022 -0400

    Add missing permission checks to Manager Thrift API (#2989)
---
 .../accumulo/manager/ManagerClientServiceHandler.java | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git 
a/server/manager/src/main/java/org/apache/accumulo/manager/ManagerClientServiceHandler.java
 
b/server/manager/src/main/java/org/apache/accumulo/manager/ManagerClientServiceHandler.java
index d854df28c8..900a13c8f6 100644
--- 
a/server/manager/src/main/java/org/apache/accumulo/manager/ManagerClientServiceHandler.java
+++ 
b/server/manager/src/main/java/org/apache/accumulo/manager/ManagerClientServiceHandler.java
@@ -324,7 +324,11 @@ public class ManagerClientServiceHandler implements 
ManagerClientService.Iface {
 
   @Override
   public void reportSplitExtent(TInfo info, TCredentials credentials, String 
serverName,
-      TabletSplit split) {
+      TabletSplit split) throws ThriftSecurityException {
+    if (!manager.security.canPerformSystemActions(credentials))
+      throw new ThriftSecurityException(credentials.getPrincipal(),
+          SecurityErrorCode.PERMISSION_DENIED);
+
     KeyExtent oldTablet = KeyExtent.fromThrift(split.oldTablet);
     if (manager.migrations.remove(oldTablet) != null) {
       Manager.log.info("Canceled migration of {}", split.oldTablet);
@@ -342,7 +346,11 @@ public class ManagerClientServiceHandler implements 
ManagerClientService.Iface {
 
   @Override
   public void reportTabletStatus(TInfo info, TCredentials credentials, String 
serverName,
-      TabletLoadState status, TKeyExtent ttablet) {
+      TabletLoadState status, TKeyExtent ttablet) throws 
ThriftSecurityException {
+    if (!manager.security.canPerformSystemActions(credentials))
+      throw new ThriftSecurityException(credentials.getPrincipal(),
+          SecurityErrorCode.PERMISSION_DENIED);
+
     KeyExtent tablet = KeyExtent.fromThrift(ttablet);
 
     switch (status) {
@@ -546,7 +554,12 @@ public class ManagerClientServiceHandler implements 
ManagerClientService.Iface {
   }
 
   @Override
-  public List<String> getActiveTservers(TInfo tinfo, TCredentials credentials) 
{
+  public List<String> getActiveTservers(TInfo tinfo, TCredentials credentials)
+      throws ThriftSecurityException {
+    if (!manager.security.canPerformSystemActions(credentials))
+      throw new ThriftSecurityException(credentials.getPrincipal(),
+          SecurityErrorCode.PERMISSION_DENIED);
+
     Set<TServerInstance> tserverInstances = manager.onlineTabletServers();
     List<String> servers = new ArrayList<>();
     for (TServerInstance tserverInstance : tserverInstances) {

Reply via email to