ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-21016) RBAC:Ambari should be sensitve to the change of login user's permissions.
Date Tue, 16 May 2017 15:01:04 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-21016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16012525#comment-16012525
] 

Robert Levas commented on AMBARI-21016:
---------------------------------------

[~yaolei]

{quote}
I happen to find the subclasses of BaseManagementHandler will return 403 if catching AuthorizationException,
i wonder whether we can return 401.
Are there some reasonse to do so?
{quote}

I am not sure why we would need to change this?  I believe that technically, if no user is
authenticated we should return a 401 status with an appropriate {{WWW-Authenticate}} header;
however, I believe the accepted standard on the web is to return a 403 status.   

> RBAC:Ambari should be sensitve to the change of login user's permissions.
> -------------------------------------------------------------------------
>
>                 Key: AMBARI-21016
>                 URL: https://issues.apache.org/jira/browse/AMBARI-21016
>             Project: Ambari
>          Issue Type: Improvement
>          Components: ambari-web
>    Affects Versions: 2.5.0
>            Reporter: Yao Lei
>            Assignee: Yao Lei
>            Priority: Minor
>             Fix For: 2.5.1
>
>         Attachments: AMBARI-21016.1.patch, AMBARI-21016.patch
>
>
> Steps to reproduce:
> 1.Login ambari with ambari administrator role and create a user named Test on host A.
> 2.Assign service administrator role(or any other one of five roles) to this user Test.
> 3.On host B, login ambari with user Test .Now it plays as a service administrato role.
> 4.On host A, unassign the role of user Test , or change the role to another one, or even
delete this user.
> 5.On host B, we will find the user Test can continue to operate ambari with previous
permissions as a service administrator which actually have already changed by step 4.
> Except for on two different hosts, we also can reproduce this problem between two different
browsers on local host.
> One solution:
> Periodly schedule a task to update current user's authorization. If any error happens
in this process, we should log off current user.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message