Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 44733200C67 for ; Mon, 15 May 2017 15:54:09 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 43187160BD0; Mon, 15 May 2017 13:54:09 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 8CA50160BC2 for ; Mon, 15 May 2017 15:54:08 +0200 (CEST) Received: (qmail 67615 invoked by uid 500); 15 May 2017 13:54:07 -0000 Mailing-List: contact issues-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list issues@ambari.apache.org Received: (qmail 67605 invoked by uid 99); 15 May 2017 13:54:07 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 May 2017 13:54:07 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 4B21A1AFD45 for ; Mon, 15 May 2017 13:54:07 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id 133TCuS5YZig for ; Mon, 15 May 2017 13:54:06 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 23E895FB06 for ; Mon, 15 May 2017 13:54:06 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 5D133E0D5F for ; Mon, 15 May 2017 13:54:05 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 4486024350 for ; Mon, 15 May 2017 13:54:04 +0000 (UTC) Date: Mon, 15 May 2017 13:54:04 +0000 (UTC) From: "Robert Levas (JIRA)" To: issues@ambari.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (AMBARI-21016) RBAC:Ambari should be sensitve to the change of login user's permissions. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 15 May 2017 13:54:09 -0000 [ https://issues.apache.org/jira/browse/AMBARI-21016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16010548#comment-16010548 ] Robert Levas commented on AMBARI-21016: --------------------------------------- [~jonathan.hurley].. We can't force a logout since we don't if the user being updated is using Ambari at the time of the change. However invalidating the session, is essentially forcing a logout. So of the frontend can detect a change in permissions for the user, then it could force a logout. This, however, will not help if the user is issuing REST API calls using a cookie to maintain a session and therefore keep the user logged in. Maybe a session manager can be established to monitor the active sessions. Then, if a user's permissions have changed, the session manager can be trigger to destroy the relevant user's session. Or may be trigger the security context to be reset with the new data. However this still seems to be overkill for the frequency in which this will happen. > RBAC:Ambari should be sensitve to the change of login user's permissions. > ------------------------------------------------------------------------- > > Key: AMBARI-21016 > URL: https://issues.apache.org/jira/browse/AMBARI-21016 > Project: Ambari > Issue Type: Improvement > Components: ambari-web > Affects Versions: trunk > Reporter: Yao Lei > Assignee: Yao Lei > Priority: Minor > Fix For: trunk > > Attachments: AMBARI-21016.patch > > > Steps to reproduce: > 1.Login ambari with ambari administrator role and create a user named Test on host A. > 2.Assign service administrator role(or any other one of five roles) to this user Test. > 3.On host B, login ambari with user Test .Now it plays as a service administrato role. > 4.On host A, unassign the role of user Test , or change the role to another one, or even delete this user. > 5.On host B, we will find the user Test can continue to operate ambari with previous permissions as a service administrator which actually have already changed by step 4. > Except for on two different hosts, we also can reproduce this problem between two different browsers on local host. > One solution: > Periodly schedule a task to update current user's authorization. If any error happens in this process, we should log off current user. -- This message was sent by Atlassian JIRA (v6.3.15#6346)