Repository: ambari Updated Branches: refs/heads/trunk 9bb27b42b -> 8a64be420
AMBARI-19670. Trailing slash (/) on cluster resource causes incorrect authorization logic flow (rlevas) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/8a64be42 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/8a64be42 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/8a64be42 Branch: refs/heads/trunk Commit: 8a64be42043380ad5c35b0517a92e9c0239d2d4b Parents: 9bb27b4 Author: Robert Levas <rle...@hortonworks.com> Authored: Mon Jan 23 11:36:53 2017 -0500 Committer: Robert Levas <rle...@hortonworks.com> Committed: Mon Jan 23 11:36:53 2017 -0500 ---------------------------------------------------------------------- .../security/authorization/AmbariAuthorizationFilter.java | 2 +- .../authorization/AmbariAuthorizationFilterTest.java | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/8a64be42/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java index 1faadb6..ce9a790 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilter.java @@ -68,7 +68,7 @@ public class AmbariAuthorizationFilter implements Filter { private static final String API_USERS_ALL_PATTERN = API_VERSION_PREFIX + "/users.*"; private static final String API_PRIVILEGES_ALL_PATTERN = API_VERSION_PREFIX + "/privileges.*"; private static final String API_GROUPS_ALL_PATTERN = API_VERSION_PREFIX + "/groups.*"; - private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\\w+)?"; + private static final String API_CLUSTERS_PATTERN = API_VERSION_PREFIX + "/clusters/(\\w+/?)?"; private static final String API_WIDGET_LAYOUTS_PATTERN = API_VERSION_PREFIX + "/clusters/.*?/widget_layouts.*?"; private static final String API_CLUSTERS_ALL_PATTERN = API_VERSION_PREFIX + "/clusters.*"; private static final String API_VIEWS_ALL_PATTERN = API_VERSION_PREFIX + "/views.*"; http://git-wip-us.apache.org/repos/asf/ambari/blob/8a64be42/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java index 0ab75c5..15e243e 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.java @@ -72,6 +72,8 @@ public class AmbariAuthorizationFilterTest { final Table<String, String, Boolean> urlTests = HashBasedTable.create(); urlTests.put("/api/v1/clusters/cluster", "GET", true); urlTests.put("/api/v1/clusters/cluster", "POST", true); + urlTests.put("/api/v1/clusters/cluster/", "GET", true); // This should probably be an invalid URL, but Ambari seems to allow it. + urlTests.put("/api/v1/clusters/cluster/", "POST", true); // This should probably be an invalid URL, but Ambari seems to allow it. urlTests.put("/api/v1/views", "GET", true); urlTests.put("/api/v1/views", "POST", true); urlTests.put("/api/v1/persist/SomeValue", "GET", true); @@ -113,6 +115,8 @@ public class AmbariAuthorizationFilterTest { final Table<String, String, Boolean> urlTests = HashBasedTable.create(); urlTests.put("/api/v1/clusters/cluster", "GET", true); urlTests.put("/api/v1/clusters/cluster", "POST", true); + urlTests.put("/api/v1/clusters/cluster/", "GET", true); // This should probably be an invalid URL, but Ambari seems to allow it. + urlTests.put("/api/v1/clusters/cluster/", "POST", true); // This should probably be an invalid URL, but Ambari seems to allow it. urlTests.put("/api/v1/views", "GET", true); urlTests.put("/api/v1/views", "POST", true); urlTests.put("/api/v1/persist/SomeValue", "GET", true); @@ -154,6 +158,8 @@ public class AmbariAuthorizationFilterTest { final Table<String, String, Boolean> urlTests = HashBasedTable.create(); urlTests.put("/api/v1/clusters/cluster", "GET", true); urlTests.put("/api/v1/clusters/cluster", "POST", true); + urlTests.put("/api/v1/clusters/cluster/", "GET", true); // This should probably be an invalid URL, but Ambari seems to allow it. + urlTests.put("/api/v1/clusters/cluster/", "POST", true); // This should probably be an invalid URL, but Ambari seems to allow it. urlTests.put("/api/v1/views", "GET", true); urlTests.put("/api/v1/views", "POST", true); urlTests.put("/api/v1/persist/SomeValue", "GET", true); @@ -195,6 +201,8 @@ public class AmbariAuthorizationFilterTest { final Table<String, String, Boolean> urlTests = HashBasedTable.create(); urlTests.put("/api/v1/clusters/cluster", "GET", true); urlTests.put("/api/v1/clusters/cluster", "POST", true); + urlTests.put("/api/v1/clusters/cluster/", "GET", true); // This should probably be an invalid URL, but Ambari seems to allow it. + urlTests.put("/api/v1/clusters/cluster/", "POST", true); // This should probably be an invalid URL, but Ambari seems to allow it. urlTests.put("/api/v1/views", "GET", true); urlTests.put("/api/v1/views", "POST", true); urlTests.put("/api/v1/persist/SomeValue", "GET", true); @@ -236,6 +244,8 @@ public class AmbariAuthorizationFilterTest { final Table<String, String, Boolean> urlTests = HashBasedTable.create(); urlTests.put("/api/v1/clusters/cluster", "GET", true); urlTests.put("/api/v1/clusters/cluster", "POST", true); + urlTests.put("/api/v1/clusters/cluster/", "GET", true); // This should probably be an invalid URL, but Ambari seems to allow it. + urlTests.put("/api/v1/clusters/cluster/", "POST", true); // This should probably be an invalid URL, but Ambari seems to allow it. urlTests.put("/api/v1/views", "GET", true); urlTests.put("/api/v1/views", "POST", true); urlTests.put("/api/v1/persist/SomeValue", "GET", true);
