SENTRY-900: User could access sentry metric info by curl without authorization (Dapeng Sun, reviewed by Colin Ma)
Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/0017fd96 Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/0017fd96 Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/0017fd96 Branch: refs/heads/hive_plugin_v2 Commit: 0017fd96330357677fc563156af5e90db5d3e6f3 Parents: f1724f1 Author: Sun Dapeng <[email protected]> Authored: Fri Sep 25 15:06:29 2015 +0800 Committer: Sun Dapeng <[email protected]> Committed: Mon Nov 2 16:36:42 2015 +0800 ---------------------------------------------------------------------- .../sentry/provider/db/service/thrift/SentryAuthFilter.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0017fd96/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java ---------------------------------------------------------------------- diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java index 311fbb5..29759e8 100644 --- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java +++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryAuthFilter.java @@ -51,13 +51,14 @@ public class SentryAuthFilter extends AuthenticationFilter { @Override protected void doFilter(FilterChain filterChain, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { - super.doFilter(filterChain, request, response); String userName = request.getRemoteUser(); LOG.debug("Authenticating user: " + userName + " from request."); if (!allowUsers.contains(userName)) { response.sendError(HttpServletResponse.SC_FORBIDDEN, userName + " is unauthorized. status code: " + HttpServletResponse.SC_FORBIDDEN); + throw new ServletException(userName + " is unauthorized. status code: " + HttpServletResponse.SC_FORBIDDEN); } + super.doFilter(filterChain, request, response); } /**
