incubator-ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yusaku Sako (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-1282) Admin user can lose its own admin privilege
Date Tue, 29 Jan 2013 06:37:12 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-1282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13565125#comment-13565125
] 

Yusaku Sako commented on AMBARI-1282:
-------------------------------------

Steps to reproduce:
* Click on "Admin" tab
* Click on "Edit" for the currently logged-in admin user
* Enter an invalid "old password" and set some "new password"; this pops up an error dialog
* Enter the valid "old password" and set some "new password". This makes a PUT call with "roles":"user"
rather than "roles":"admin,user".
* The user seems to still have admin privilege. In fact I was able to create a new user. But
if you log out, refresh the page, and log back in, the user has lost the admin privilege.
If you simply logout and log back in without refreshing the page, the UI still shows the Admin
tab.

Also, instead of calling it "old password", we should really call it "current password"
                
> Admin user can lose its own admin privilege
> -------------------------------------------
>
>                 Key: AMBARI-1282
>                 URL: https://issues.apache.org/jira/browse/AMBARI-1282
>             Project: Ambari
>          Issue Type: Bug
>          Components: client
>    Affects Versions: 1.2.0
>            Reporter: Yusaku Sako
>            Priority: Critical
>             Fix For: 1.3.0
>
>
> By playing around with "User Edit" feature, I was able to lose the admin privilege of
my own admin account. I was using the default admin account, with no other users in the system.
> After logging out and logging back in, I no longer have access to the Admin tab.
> In the Ambari database, ambari.user_roles table says that the "admin" user only has "user"
privilege now. 
> At this point, a row needs to be inserted into the ambari.user_roles table manually for
the admin user to get the admin privilege back.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message