[
https://issues.apache.org/jira/browse/KYLIN-3223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16357856#comment-16357856
]
Billy Liu commented on KYLIN-3223:
----------------------------------
Agree. The access check is missing on this API.
LGTM.
Patch merged at http://git-wip-us.apache.org/repos/asf/kylin/commit/0655dbc3.
Thank you, [~seva_ostapenko]
> Query for the list of hybrid cubes results in NPE
> -------------------------------------------------
>
> Key: KYLIN-3223
> URL: https://issues.apache.org/jira/browse/KYLIN-3223
> Project: Kylin
> Issue Type: Bug
> Components: REST Service
> Affects Versions: v2.2.0
> Environment: HDP 2.5.6, Kylin 2.2
> Reporter: Vsevolod Ostapenko
> Assignee: Vsevolod Ostapenko
> Priority: Major
> Fix For: v2.3.0
>
> Attachments:
> 0001-KYLIN-3223-Query-for-the-list-of-hybrid-cubes-result.patch
>
>
> Calling REST API to get the list of hybrid cubes returns stack trace with NPE
> exception.
> {quote}curl -u ADMIN:KYLIN -X GET -H 'Content-Type: application/json' -d {}
> [http://localhost:7070/kylin/api/hybrids]
> {quote}
>
> If a parameter project without a value is specified, call succeeds. E.g.
> {quote}curl -u ADMIN:KYLIN -X GET -H 'Content-Type: application/json' -d {}
> [http://localhost:7070/kylin/api/hybrids?project]
> {quote}
> Quick look at the HybridService.java suggests that there is a bug in the
> code, where the very first line tries to check ACLs on the project using the
> project name, which is NULL, when project parameter is not specified as part
> of the URL.
> If parameter is specified without a value, ACL check is not performed, so
> it's another bug, as the list of projects is retrieved without read
> permission checking.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
