security: add authorization checks to OperationsDashboardHttpHandler#16155
security: add authorization checks to OperationsDashboardHttpHandler#16155adilburaksen wants to merge 1 commit into
Conversation
The GET /v3/dashboard endpoint read program-run records for the namespaces supplied in the 'namespace' query parameter without enforcing any access control on those namespaces. A caller could therefore retrieve program-run data from namespaces it is not authorized to access. Enforce StandardPermission.GET on each requested NamespaceId via the injected ContextAccessEnforcer before reading any program-run data, mirroring the namespace/program-level enforcement already performed by the sibling program and log handlers.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces authorization checks in the OperationsDashboardHttpHandler to ensure that callers have GET access to each requested namespace before reading program run data. The feedback recommends adding corresponding unit tests in OperationsDashboardHttpHandlerTest.java to verify that unauthorized access attempts are correctly blocked and return the expected error response.
| for (String namespace : namespaces) { | ||
| contextAccessEnforcer.enforce(new NamespaceId(namespace), StandardPermission.GET); | ||
| } |
There was a problem hiding this comment.
While the authorization check is correctly implemented, there are no unit tests added to verify this behavior. To prevent future regressions and ensure the security gate remains active, please add a test case in OperationsDashboardHttpHandlerTest.java that mocks ContextAccessEnforcer to throw an UnauthorizedException (or similar AccessException) for an unauthorized namespace, and asserts that the handler returns the expected error response (e.g., 403 Forbidden).
1 participant
Summary
GET /v3/dashboard(OperationsDashboardHttpHandler.readDashboardDetail) reads program-run records for every namespace supplied in thenamespacequery parameter, but performs no authorization check on those namespaces. A caller can therefore retrieve program-run data (application, program, run, principal, run status) from namespaces it is not authorized to access.The sibling program and log handlers already enforce access before returning per-namespace/per-program data (e.g.
ProgramRuntimeHttpHandlerandLogHttpHandler'sensureVisibilityOnProgram). This handler was missing the equivalent gate.Change
ContextAccessEnforcerintoOperationsDashboardHttpHandler(already globally bound viaAuthorizationEnforcementModule, same as the siblingMonitorHandlerin this package).readDashboardDetail, enforceStandardPermission.GETon each requestedNamespaceIdbefore any program-run data is read, so a caller without GET access on a namespace is rejected.This mirrors the existing namespace/program-level enforcement performed by the other app-fabric handlers and is consistent with the recent authorization-hardening changes in this area.
Compatibility
No API or response-shape changes for authorized callers. Callers requesting namespaces they are entitled to read are unaffected; requests that include a namespace the caller is not authorized for are now rejected instead of returning that namespace's data.