ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-16436) Unauthorized user can get access to admin pages by pointing to their URLs
Date Thu, 12 May 2016 14:21:13 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-16436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15281546#comment-15281546
] 

Hudson commented on AMBARI-16436:
---------------------------------

SUCCESS: Integrated in Ambari-trunk-Commit #4829 (See [https://builds.apache.org/job/Ambari-trunk-Commit/4829/])
AMBARI-16436. Unauthorized user can get access to admin pages by (hiveww: [http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=56f4c618a7fa6cfc714e429e73d468788740352f])
* ambari-web/app/routes/main.js


> Unauthorized user can get access to admin pages by pointing to their URLs
> -------------------------------------------------------------------------
>
>                 Key: AMBARI-16436
>                 URL: https://issues.apache.org/jira/browse/AMBARI-16436
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-web
>    Affects Versions: 2.4.0
>            Reporter: Antonenko Alexander
>            Assignee: Antonenko Alexander
>            Priority: Critical
>             Fix For: 2.4.0
>
>         Attachments: AMBARI-16436.patch
>
>
> # As Ambari admin, create a user and provide "Cluster User" role. On my cluster the user
is named *cluser*
> # Login with the newly created user account
> # Type the URL of some of the pages where "cluster user" is not allowed access like:
>  -- /views/ADMIN_VIEW/2.4.0.0/INSTANCE/#/ 
>  -- /#/main/admin/serviceAccounts
>  -- /#/main/admin/kerberos
> and so on 
> Note - In some cases you may have to load the page twice after typing the URL
> *Result*: The pages are accessible. In one case, it allowed me to rename the cluster
from Admin page too. 
> Tried few other operations too with cluster user like create user, change user group,
but so far none of them is successful. Even though UI permitted them.
> This presents a security risk as unauthorized users may still have access to undesirable
piece of information.
> It would be good to point them to the home page in case they try accessing a page that
they are not allowed to



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message