[jira] [Resolved] (STORM-3251) Using Logviewer Filter settings causes anyone to access logs via log viewer REST API

Robert Joseph Evans (JIRA) Fri, 12 Oct 2018 14:42:06 -0700


     [ 
https://issues.apache.org/jira/browse/STORM-3251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Robert Joseph Evans resolved STORM-3251.
----------------------------------------
       Resolution: Fixed
    Fix Version/s: 2.0.0

Thanks [~agresch],

 

I merged this into master.

> Using Logviewer Filter settings causes anyone to access logs via log viewer 
> REST API
> ------------------------------------------------------------------------------------
>
>                 Key: STORM-3251
>                 URL: https://issues.apache.org/jira/browse/STORM-3251
>             Project: Apache Storm
>          Issue Type: Bug
>            Reporter: Aaron Gresch
>            Assignee: Aaron Gresch
>            Priority: Critical
>              Labels: pull-request-available
>             Fix For: 2.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The rest API for logviewer access is checking if UI filter params is set to 
> deny access to users.  It's possible now to configure the logviewer without 
> UI filter params, so this check is no longer sufficient and can allow anyone 
> access to logs.
>  
> See ResourceAuthorizer line 68....



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (STORM-3251) Using Logviewer Filter settings causes anyone to access logs via log viewer REST API

Reply via email to