You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Balázs Bence Sári (JIRA)" <ji...@apache.org> on 2019/04/10 12:10:00 UTC

[jira] [Created] (AMBARI-25238) Updating a user's password does not validate the administrator's current password.

Balázs Bence Sári created AMBARI-25238:
------------------------------------------

             Summary: Updating a user's password does not validate the administrator's current password.
                 Key: AMBARI-25238
                 URL: https://issues.apache.org/jira/browse/AMBARI-25238
             Project: Ambari
          Issue Type: Bug
    Affects Versions: 2.7.0
            Reporter: Balázs Bence Sári
            Assignee: Balázs Bence Sári
             Fix For: 2.7.4


When updating a user's password as an Ambari Administrator via the UI, the acting administrator user is prompted for their password...


The password is never validated by the backend to end sure it is correct for the acting user.  To keep consistency with 2.6 line, the password of the acting user should be verified.

The current implementation does require that if the acting user is not an Ambari Administrator user, the acting user may only change their own password and must supply their current password as well as the new password:

Example: 
{noformat}
curl -H "X-Requested-By:ambari"  -u user_a:hadoop -X PUT -d '{ "Users" : { "old_password" : "hadoop", "password" : "hadoop_1234" } }' http://localhost:8080/api/v1/users/user_a
{noformat}





--
This message was sent by Atlassian JIRA
(v7.6.3#76005)