This is an automated email from the ASF dual-hosted git repository.
ctubbsii pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/accumulo.git
The following commit(s) were added to refs/heads/main by this push:
new db9e626 Remove a redundant audit message (#1831)
db9e626 is described below
commit db9e626a59930018a57f0dd996d55136b484b8dd
Author: Christopher Tubbs <ctubb...@apache.org>
AuthorDate: Wed Dec 9 16:40:18 2020 -0500
Remove a redundant audit message (#1831)
This fixes #1827 correctly this time, after that incorrect fix was
reverted.
* Reverse order of checks, so that checking to see if a user has the
SYSTEM permission is only done if the user is not authenticating
themselves; this removes a redundant audit message indicating that the
user does not have the SYSTEM permission when it isn't necessary to
check for that in the first place
* Ensure that the current user is always authenticated first, regardless
of whether we check if the user is authenticating themselves or if
they are authenticating another user using their SYSTEM permissions
* Inline the unneeded method and add comments to significantly improve
the readability of the code
---
.../accumulo/server/security/SecurityOperation.java | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git
a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
index 5cde39b..f5ebd14 100644
---
a/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
+++
b/server/base/src/main/java/org/apache/accumulo/server/security/SecurityOperation.java
@@ -227,19 +227,18 @@ public class SecurityOperation {
}
}
- public boolean canAskAboutUser(TCredentials credentials, String user)
+ public boolean authenticateUser(TCredentials credentials, TCredentials
toAuth)
throws ThriftSecurityException {
- // Authentication done in canPerformSystemActions
- if (!(canPerformSystemActions(credentials) ||
credentials.getPrincipal().equals(user)))
+ authenticate(credentials); // authenticate the current user first
+
+ // if the user to authenticate is not the current user, and the current
user lacks
+ // the SYSTEM permission, then deny the request
+ if (!credentials.getPrincipal().equals(toAuth.getPrincipal())
+ && !hasSystemPermission(credentials, SystemPermission.SYSTEM, false))
throw new ThriftSecurityException(credentials.getPrincipal(),
SecurityErrorCode.PERMISSION_DENIED);
- return true;
- }
- public boolean authenticateUser(TCredentials credentials, TCredentials
toAuth)
- throws ThriftSecurityException {
- canAskAboutUser(credentials, toAuth.getPrincipal());
- // User is already authenticated from canAskAboutUser
+ // the user is already authenticated above if the credentials to
authenticate are the same
if (credentials.equals(toAuth))
return true;
try {
