You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Antonenko Alexander (JIRA)" <ji...@apache.org> on 2016/05/10 15:42:12 UTC

[jira] [Created] (AMBARI-16436) Unauthorized user can get access to admin pages by pointing to their URLs

Antonenko Alexander created AMBARI-16436:
--------------------------------------------

             Summary: Unauthorized user can get access to admin pages by pointing to their URLs
                 Key: AMBARI-16436
                 URL: https://issues.apache.org/jira/browse/AMBARI-16436
             Project: Ambari
          Issue Type: Bug
          Components: ambari-web
    Affects Versions: 2.4.0
            Reporter: Antonenko Alexander
            Assignee: Antonenko Alexander
            Priority: Critical
             Fix For: 2.4.0



# As Ambari admin, create a user and provide "Cluster User" role. On my cluster the user is named *cluser*
# Login with the newly created user account
# Type the URL of some of the pages where "cluster user" is not allowed access like:
 -- /views/ADMIN_VIEW/2.4.0.0/INSTANCE/#/ 
 -- /#/main/admin/serviceAccounts
 -- /#/main/admin/kerberos
and so on 
Note - In some cases you may have to load the page twice after typing the URL

*Result*: The pages are accessible. In one case, it allowed me to rename the cluster from Admin page too. 
Tried few other operations too with cluster user like create user, change user group, but so far none of them is successful. Even though UI permitted them.
This presents a security risk as unauthorized users may still have access to undesirable piece of information.

It would be good to point them to the home page in case they try accessing a page that they are not allowed to



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)