search

azkaban / azkaban-plugins

Plugins for Azkaban.
https://azkaban.github.io
Apache License 2.0
130 stars 178 forks source link

remove goHomeDir action #296

Closed burgerkingeater closed 6 years ago

burgerkingeater commented 6 years ago

The HdfsBrowserServlet allows a user to view HDFS as their own authenticated user or as any other proxy user. Looking at the validation logic, 3 branches exist for obtaining the username of the current user which the plugin proxies as:

  1. Current user from session
  2. Proxy user via session attribute which validates the user has permissions
  3. A "proxyname" parameter when "action" is set to "goHomeDir" The final option is implemented as follows:

plugins/hdfsviewer/src/azkaban/viewer/hdfs/HdfsBrowserServlet.java if(hasParam(req, "action") && getParam(req, "action").equals("goHomeDir")) { username = getParam(req, "proxyname"); }

This means a user can "proxy" as any other valid user by simple appending "?action=goHomeDir&proxyname=$username" to the URL.

This PR removes goHomeDir action.

burgerkingeater commented 6 years ago

PR should go to azkaban main repo given this module is now part of azkaban main repo. duplicate of https://github.com/azkaban/azkaban/pull/1799