ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonenko Alexander (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-16436) Unauthorized user can get access to admin pages by pointing to their URLs
Date Tue, 10 May 2016 16:35:12 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-16436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15278408#comment-15278408
] 

Antonenko Alexander commented on AMBARI-16436:
----------------------------------------------

UI trunk unit tests:
 27718 tests complete (24 seconds)
  154 tests pending

Rat check passed.


> Unauthorized user can get access to admin pages by pointing to their URLs
> -------------------------------------------------------------------------
>
>                 Key: AMBARI-16436
>                 URL: https://issues.apache.org/jira/browse/AMBARI-16436
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-web
>    Affects Versions: 2.4.0
>            Reporter: Antonenko Alexander
>            Assignee: Antonenko Alexander
>            Priority: Critical
>             Fix For: 2.4.0
>
>         Attachments: AMBARI-16436.patch
>
>
> # As Ambari admin, create a user and provide "Cluster User" role. On my cluster the user
is named *cluser*
> # Login with the newly created user account
> # Type the URL of some of the pages where "cluster user" is not allowed access like:
>  -- /views/ADMIN_VIEW/2.4.0.0/INSTANCE/#/ 
>  -- /#/main/admin/serviceAccounts
>  -- /#/main/admin/kerberos
> and so on 
> Note - In some cases you may have to load the page twice after typing the URL
> *Result*: The pages are accessible. In one case, it allowed me to rename the cluster
from Admin page too. 
> Tried few other operations too with cluster user like create user, change user group,
but so far none of them is successful. Even though UI permitted them.
> This presents a security risk as unauthorized users may still have access to undesirable
piece of information.
> It would be good to point them to the home page in case they try accessing a page that
they are not allowed to



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message