This is an automated email from the ASF dual-hosted git repository. dlmarion pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/accumulo.git
The following commit(s) were added to refs/heads/main by this push: new 1efbcaa1b9 Add missing permission checks to Manager Thrift API (#2989) 1efbcaa1b9 is described below commit 1efbcaa1b9eb594962c502304d0bc7fcb937e269 Author: Dave Marion <dlmar...@apache.org> AuthorDate: Fri Sep 30 13:05:50 2022 -0400 Add missing permission checks to Manager Thrift API (#2989) --- .../accumulo/manager/ManagerClientServiceHandler.java | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/server/manager/src/main/java/org/apache/accumulo/manager/ManagerClientServiceHandler.java b/server/manager/src/main/java/org/apache/accumulo/manager/ManagerClientServiceHandler.java index d854df28c8..900a13c8f6 100644 --- a/server/manager/src/main/java/org/apache/accumulo/manager/ManagerClientServiceHandler.java +++ b/server/manager/src/main/java/org/apache/accumulo/manager/ManagerClientServiceHandler.java @@ -324,7 +324,11 @@ public class ManagerClientServiceHandler implements ManagerClientService.Iface { @Override public void reportSplitExtent(TInfo info, TCredentials credentials, String serverName, - TabletSplit split) { + TabletSplit split) throws ThriftSecurityException { + if (!manager.security.canPerformSystemActions(credentials)) + throw new ThriftSecurityException(credentials.getPrincipal(), + SecurityErrorCode.PERMISSION_DENIED); + KeyExtent oldTablet = KeyExtent.fromThrift(split.oldTablet); if (manager.migrations.remove(oldTablet) != null) { Manager.log.info("Canceled migration of {}", split.oldTablet); @@ -342,7 +346,11 @@ public class ManagerClientServiceHandler implements ManagerClientService.Iface { @Override public void reportTabletStatus(TInfo info, TCredentials credentials, String serverName, - TabletLoadState status, TKeyExtent ttablet) { + TabletLoadState status, TKeyExtent ttablet) throws ThriftSecurityException { + if (!manager.security.canPerformSystemActions(credentials)) + throw new ThriftSecurityException(credentials.getPrincipal(), + SecurityErrorCode.PERMISSION_DENIED); + KeyExtent tablet = KeyExtent.fromThrift(ttablet); switch (status) { @@ -546,7 +554,12 @@ public class ManagerClientServiceHandler implements ManagerClientService.Iface { } @Override - public List<String> getActiveTservers(TInfo tinfo, TCredentials credentials) { + public List<String> getActiveTservers(TInfo tinfo, TCredentials credentials) + throws ThriftSecurityException { + if (!manager.security.canPerformSystemActions(credentials)) + throw new ThriftSecurityException(credentials.getPrincipal(), + SecurityErrorCode.PERMISSION_DENIED); + Set<TServerInstance> tserverInstances = manager.onlineTabletServers(); List<String> servers = new ArrayList<>(); for (TServerInstance tserverInstance : tserverInstances) {