You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "kirby zhou (Jira)" <ji...@apache.org> on 2022/02/11 02:28:00 UTC

[jira] [Created] (RANGER-3616) Security Risk. ugsync API can create a hidden user.

kirby zhou created RANGER-3616:
----------------------------------

             Summary: Security Risk. ugsync API can create a hidden user.
                 Key: RANGER-3616
                 URL: https://issues.apache.org/jira/browse/RANGER-3616
             Project: Ranger
          Issue Type: Bug
          Components: Ranger, usersync
    Affects Versions: 2.2.0, 3.0.0
            Reporter: kirby zhou
         Attachments: 截屏2022-02-11 上午10.23.40.jpg, 截屏2022-02-11 上午10.24.27.jpg

We can use  REST API /service/xusers/ugsync/users to create a User without 

userRoleList. And the user is hidden in Ranger Admin User List.

 

#] curl -u: --negotiate --header 'Content-Type: application/json' --data '\{"vXUsers" :[{"name":"hehe", "description" : "hehe", "syncSorce": "Unix"}], "totalCount" : 1}' '[http://kirbytest01.sa:6080/service/xusers/ugsync/users'] 

1

The user "hehe" is created, but can not be seen at WebUI 

But it be used at policies, it should be a security risk.

 

 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)