Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Data node rest resources contains endpoints without permission checks #18854

Closed
kroepke opened this issue Mar 29, 2024 · 0 comments · Fixed by #19328
Closed

Data node rest resources contains endpoints without permission checks #18854

kroepke opened this issue Mar 29, 2024 · 0 comments · Fixed by #19328
Assignees
Labels

Comments

@kroepke
Copy link
Member

kroepke commented Mar 29, 2024

The endpoints /datanode/configured and /datanode/{nodeid} have no permission checks.
Please review whether that is required for bootstrap purposes or add a relevant permission annotation.

@GET
@Path("{nodeId}")
@ApiOperation("Get data node information")
public DataNodeDto getDataNode(@ApiParam(name = "nodeId", required = true) @PathParam("nodeId") String nodeId) {
try {
return certRenewalService.addProvisioningInformation(nodeService.byNodeId(nodeId));
} catch (NodeNotFoundException e) {
throw new NotFoundException("Node " + nodeId + " not found");
}
}
@DELETE
@Path("{nodeId}")
@ApiOperation("Remove node from cluster")
@AuditEvent(type = DATANODE_REMOVE)
@RequiresPermissions(RestPermissions.DATANODE_REMOVE)
public DataNodeDto removeNode(@ApiParam(name = "nodeId", required = true) @PathParam("nodeId") String nodeId,
@Context UserContext userContext) {
try {
return dataNodeService.removeNode(nodeId);
} catch (NodeNotFoundException e) {
throw new NotFoundException("Node " + nodeId + " not found");
}
}

The endpoint POST /datanode/provision/generate does not seem to be used, at least I couldn't find any usages, but also has no permission checks.

@POST
@Path("/generate")
@NoAuditEvent("No Audit Event needed")
public void generate() {
final Map<String, DataNodeDto> activeDataNodes = nodeService.allActive();
activeDataNodes.values().forEach(node -> dataNodeProvisioningService.changeState(node.getNodeId(), DataNodeProvisioningConfig.State.CONFIGURED));
}

In a related PR (#18736), I'm adding checks for all resources, and these need your input.
If the omission of permission checks is on purpose, please let me know so I can add the correct annotation in that PR.
Thanks!

@kroepke kroepke added the bug label Mar 29, 2024
@kroepke kroepke changed the title Data node rest resource contains resources without permission checks Data node rest resources contains endpoints without permission checks Mar 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
2 participants