aurora-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zameer Manji (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AURORA-837) validateSessionKeyForTasks can pass empty set of roles to checkAuthenticated
Date Tue, 14 Oct 2014 23:10:33 GMT

     [ https://issues.apache.org/jira/browse/AURORA-837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Zameer Manji updated AURORA-837:
--------------------------------
    Priority: Blocker  (was: Major)

> validateSessionKeyForTasks can pass empty set of roles to checkAuthenticated
> ----------------------------------------------------------------------------
>
>                 Key: AURORA-837
>                 URL: https://issues.apache.org/jira/browse/AURORA-837
>             Project: Aurora
>          Issue Type: Bug
>            Reporter: Zameer Manji
>            Priority: Blocker
>
> SchedulerThriftInterface.java contains the following:
> {noformat}
>   private SessionContext validateSessionKeyForTasks(
>       SessionKey session,
>       Query.Builder taskQuery,
>       Iterable<IScheduledTask> tasks) throws AuthFailedException {
>     // Authenticate the session against any affected roles, always including the role
for a
>     // role-scoped query.  This papers over the implementation detail that dormant cron
jobs are
>     // authenticated this way.
>     ImmutableSet.Builder<String> targetRoles = ImmutableSet.<String>builder()
>         .addAll(FluentIterable.from(tasks).transform(GET_ROLE));
>     if (taskQuery.get().isSetOwner()) {
>       targetRoles.add(taskQuery.get().getOwner().getRole());
>     }
>     return sessionValidator.checkAuthenticated(session, targetRoles.build());
>   }
> {noformat}
> Since the owner field is deprecated and a cron job may not have any tasks available this
can pass an empty set into {{checkAuthenticated}}. We should also grab the role from the query.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message