falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Venkatesh Seetharam (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FALCON-466) REST APIs must add the entity owner as an implicit filter
Date Wed, 30 Jul 2014 15:48:38 GMT

    [ https://issues.apache.org/jira/browse/FALCON-466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14079399#comment-14079399

Venkatesh Seetharam commented on FALCON-466:

[~bvellanki], I think this was not the intent of the jira. The solution you have in the patch
is already part of FALCON-464. The intent of this jira as the summary says is to implicitly
filter the entities for the authenticated user. You could use one of the methods on the AuthorizationProvider
to check if the entity in question is indeed allowed to be viewed by the authenticated user.

The following APIs need to filter the entities in question before returning them.
* api/entities/list - org.apache.falcon.resource.AbstractEntityManager#getEntityList

Instance list is fine since the entity is question is already authorized.

Makes sense?

> REST APIs must add the entity owner as an implicit filter
> ---------------------------------------------------------
>                 Key: FALCON-466
>                 URL: https://issues.apache.org/jira/browse/FALCON-466
>             Project: Falcon
>          Issue Type: Sub-task
>          Components: webapp
>    Affects Versions: 0.6
>            Reporter: Venkatesh Seetharam
>            Assignee: Balu Vellanki
>              Labels: authorization, security
>             Fix For: 0.6
>         Attachments: FALCON-466.patch
> Implement authorization for entity actions. Entity created by one user should not be
updated/deleted by another user. Entity operations will only apply for the entities owned
by that user.
> Entity and instance operations must add the authenticated user/owner as an implicit filter
so the user operates on only his entities. For example: List will return entities belonging
to the authenticated user, lifecycle operations such as delete/kill/suspend/resume/etc. are
only applicable to the owner of the entity. 

This message was sent by Atlassian JIRA

View raw message