Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HPCC-30111 Look up internal file scope name instead of using a hardcoded value #17684

Merged
merged 1 commit into from
Aug 23, 2023
Merged

HPCC-30111 Look up internal file scope name instead of using a hardcoded value #17684

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 14 additions & 3 deletions system/security/plugins/jwtSecurity/jwtSecurity.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,10 @@ class CJwtSecurityManager : implements IDaliLdapConnection, public CBaseSecurity

if (secretsName.empty())
throw makeStringException(-1, "CJwtSecurityManager: secretsName not found in configuration");

// Grab a copy of the name of the internal file scope
hpccInternalScope = queryDfsXmlBranchName(DXB_Internal);
hpccInternalScope += "::";
}

virtual ~CJwtSecurityManager()
Expand Down Expand Up @@ -794,10 +798,16 @@ class CJwtSecurityManager : implements IDaliLdapConnection, public CBaseSecurity
{
// Scope hpccinternal::<username> always has full access for their own scope, but
// explicitly denied when attempting to access someone else's
// hpccinternal::<username> scope
if (resourceName && strncmp(resourceName, "hpccinternal::", 14) == 0)
// hpccinternal::<username> scope; note that resourceName may contain more
// scope levels
if (startsWithIgnoreCase(resourceName, hpccInternalScope.c_str()))
{
if (strisame(&resourceName[14], user.getName()))
// Extract the username provided in the resourceName
StringBuffer rezUserName;
for (const char * p = &resourceName[hpccInternalScope.length()]; *p && *p != ':'; p++)
rezUserName.append(*p);

if (strisame(rezUserName.str(), user.getName()))
accessFlag = SecAccess_Full;
else
accessFlag = SecAccess_None;
Expand Down Expand Up @@ -1059,6 +1069,7 @@ class CJwtSecurityManager : implements IDaliLdapConnection, public CBaseSecurity
std::string keyContents; //!< Contents of secret key; @see ensureKeyLoaded()
bool keyIsPublicKey; //!< True if keyContents contains a public key, false otherwise
CDALIKVStore daliStore; //!< Handle to Dali's key/value store (external token cache)
std::string hpccInternalScope; //!< File scope used by the cluster for interim results
static const SecFeatureSet implementedFeaturesMask = SMF_Authorize
| SMF_AuthorizeEx_Named
| SMF_AuthorizeFileScope_List
Expand Down
Loading