Impact
Any install that has UNEDITABLE_SCHEMAS
and/or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES
set in the front-end, is being impacted. The value of these properties is ignored if set, allowing any user to modify table and column descriptions, even though the properties imply they shouldn't be.
Patches
There is an attached PR that applies this restriction on the back-end.
Workarounds
N/A
References
N/A
For more information
If you have any questions or comments about this advisory:
More details
Summary: I believe that UNEDITABLE_SCHEMAS and
UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES are only being applied on the
front-end, not on the frontend service back-end, allowing any user to
modify table and column descriptions even if this configuration parameter
is set.
Repro steps:
- docker-compose -f docker-amundsen.yml up neo4j elasticsearch
amundsensearch amundsenmetadata
- python example/scripts/sample_data_loader.py
- FRONTEND_SVC_CONFIG_MODULE_CLASS=amundsen_application.config.TestConfig
PYTHONPATH=. python3 amundsen_application/wsgi.py
- Attempt a modification to a table description:
curl 'http://localhost:5000/api/metadata/v0/put_table_description' \\
-X 'PUT' \\
-H 'Content-Type: application/json;charset=UTF-8' \\
--data-binary '{"description":"2t test table","key":"hive://gold.test_schema/test_table1","source":"user"}'
{"msg":"Success"}
- This correctly succeeds, which can be validated by GETing the info:
curl 'http://localhost:5000/api/metadata/v0/get_table_description?key=hive://gold.test_schema/test_table1'
{"description":"1st test table","msg":"Success"}
At this point, modify TestConfig inside config.py to add this line: UNEDITABLE_SCHEMAS
= set(['test_schema'])
You can now re-run step 4, and step 5 with different data, and confirm
that the modification has persisted. If you build and run the UI, you can
see that on the page
http://localhost:5000/table_detail/gold/hive/test_schema/test_table1
http://localhost:5000/table_detail/gold/hive/test_schema/test_table1, the
inline editor is correctly disabled.
Looking at
amundsenfrontendlibrary/amundsen_application/api/metadata/v0.py:268
put_table_description, you can see there's no reference to
UNEDITABLE_SCHEMAS or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES.
The only place I can find these referenced is in
amundsenfrontendlibrary/amundsen_application/api/utils/metadata_utils.py:marshall_table_full,
which would explain why the UI is correctly respecting this setting.
If this is correct, put_column_description would also be similarly
affected.
I believe the correct fix for all of these methods is to load the table,
run it through marshall_dashboard_partial to fully evaluate what's
editable or not (to reuse the same code path for FE and back-end), and
reject the response if it's not editable. I'll implement a fix along these
lines once someone confirms this.
History: This functionality was introduced in
https://github.com/amundsen-io/amundsenfrontendlibrary/pull/497/files
amundsen-io/amundsenfrontendlibrary#497 on July
9, corresponding to the 2.3.0 release of amundsenfrontend. That release was
introduced into the main repo dockerfile on October 28 in
amundsen-io/amundsen#785
amundsen-io/amundsen#785
References
Impact
Any install that has
UNEDITABLE_SCHEMAS
and/orUNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES
set in the front-end, is being impacted. The value of these properties is ignored if set, allowing any user to modify table and column descriptions, even though the properties imply they shouldn't be.Patches
There is an attached PR that applies this restriction on the back-end.
Workarounds
N/A
References
N/A
For more information
If you have any questions or comments about this advisory:
More details
Summary: I believe that UNEDITABLE_SCHEMAS and
UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES are only being applied on the
front-end, not on the frontend service back-end, allowing any user to
modify table and column descriptions even if this configuration parameter
is set.
Repro steps:
amundsensearch amundsenmetadata
PYTHONPATH=. python3 amundsen_application/wsgi.py
curl 'http://localhost:5000/api/metadata/v0/put_table_description' \\
-X 'PUT' \\
-H 'Content-Type: application/json;charset=UTF-8' \\
--data-binary '{"description":"2t test table","key":"hive://gold.test_schema/test_table1","source":"user"}'
{"msg":"Success"}
curl 'http://localhost:5000/api/metadata/v0/get_table_description?key=hive://gold.test_schema/test_table1'
{"description":"1st test table","msg":"Success"}
At this point, modify TestConfig inside config.py to add this line: UNEDITABLE_SCHEMAS
= set(['test_schema'])
You can now re-run step 4, and step 5 with different data, and confirm
that the modification has persisted. If you build and run the UI, you can
see that on the page
http://localhost:5000/table_detail/gold/hive/test_schema/test_table1
http://localhost:5000/table_detail/gold/hive/test_schema/test_table1, the
inline editor is correctly disabled.
Looking at
amundsenfrontendlibrary/amundsen_application/api/metadata/v0.py:268
put_table_description, you can see there's no reference to
UNEDITABLE_SCHEMAS or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES.
The only place I can find these referenced is in
amundsenfrontendlibrary/amundsen_application/api/utils/metadata_utils.py:marshall_table_full,
which would explain why the UI is correctly respecting this setting.
If this is correct, put_column_description would also be similarly
affected.
I believe the correct fix for all of these methods is to load the table,
run it through marshall_dashboard_partial to fully evaluate what's
editable or not (to reuse the same code path for FE and back-end), and
reject the response if it's not editable. I'll implement a fix along these
lines once someone confirms this.
History: This functionality was introduced in
https://github.com/amundsen-io/amundsenfrontendlibrary/pull/497/files
amundsen-io/amundsenfrontendlibrary#497 on July
9, corresponding to the 2.3.0 release of amundsenfrontend. That release was
introduced into the main repo dockerfile on October 28 in
amundsen-io/amundsen#785
amundsen-io/amundsen#785
References