ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonenko Alexander (JIRA)" <>
Subject [jira] [Commented] (AMBARI-16436) Unauthorized user can get access to admin pages by pointing to their URLs
Date Tue, 10 May 2016 16:35:12 GMT


Antonenko Alexander commented on AMBARI-16436:

UI trunk unit tests:
 27718 tests complete (24 seconds)
  154 tests pending

Rat check passed.

> Unauthorized user can get access to admin pages by pointing to their URLs
> -------------------------------------------------------------------------
>                 Key: AMBARI-16436
>                 URL:
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-web
>    Affects Versions: 2.4.0
>            Reporter: Antonenko Alexander
>            Assignee: Antonenko Alexander
>            Priority: Critical
>             Fix For: 2.4.0
>         Attachments: AMBARI-16436.patch
> # As Ambari admin, create a user and provide "Cluster User" role. On my cluster the user
is named *cluser*
> # Login with the newly created user account
> # Type the URL of some of the pages where "cluster user" is not allowed access like:
>  -- /views/ADMIN_VIEW/ 
>  -- /#/main/admin/serviceAccounts
>  -- /#/main/admin/kerberos
> and so on 
> Note - In some cases you may have to load the page twice after typing the URL
> *Result*: The pages are accessible. In one case, it allowed me to rename the cluster
from Admin page too. 
> Tried few other operations too with cluster user like create user, change user group,
but so far none of them is successful. Even though UI permitted them.
> This presents a security risk as unauthorized users may still have access to undesirable
piece of information.
> It would be good to point them to the home page in case they try accessing a page that
they are not allowed to

This message was sent by Atlassian JIRA

View raw message