[
https://issues.apache.org/jira/browse/FALCON-466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14091116#comment-14091116
]
Venkatesh Seetharam commented on FALCON-466:
--------------------------------------------
[~bvellanki], patch looks good but there is a redundant entity null check. The
returns can be simplified as well.
{code}
protected boolean isEntityAuthorized(Entity entity) {
try {
SecurityUtil.getAuthorizationProvider().authorizeResource("entities", "list",
entity.getEntityType().toString(), entity.getName(),
CurrentUser.getProxyUgi());
} catch (Exception e) {
LOG.error("Authorization failed for entity=" + entity.getName()
+ " for user=" + CurrentUser.getUser() , e);
return false;
}
return true;
}
{code}
The error message should probably say: 'authorization failed", no?
> REST APIs must add the entity owner as an implicit filter
> ---------------------------------------------------------
>
> Key: FALCON-466
> URL: https://issues.apache.org/jira/browse/FALCON-466
> Project: Falcon
> Issue Type: Sub-task
> Components: webapp
> Affects Versions: 0.6
> Reporter: Venkatesh Seetharam
> Assignee: Balu Vellanki
> Labels: authorization, security
> Fix For: 0.6
>
> Attachments: Falcon-Jira-466.v2.patch, Falcon-Jira-466.v3.patch
>
>
> Implement authorization for entity actions. Entity created by one user should
> not be updated/deleted by another user. Entity operations will only apply for
> the entities owned by that user.
> Entity and instance operations must add the authenticated user/owner as an
> implicit filter so the user operates on only his entities. For example: List
> will return entities belonging to the authenticated user, lifecycle
> operations such as delete/kill/suspend/resume/etc. are only applicable to the
> owner of the entity.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
