You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Aleksandr Kovalenko (JIRA)" <ji...@apache.org> on 2016/05/10 15:52:13 UTC
[jira] [Commented] (AMBARI-16436) Unauthorized user can get access
to admin pages by pointing to their URLs
[ https://issues.apache.org/jira/browse/AMBARI-16436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15278321#comment-15278321 ]
Aleksandr Kovalenko commented on AMBARI-16436:
----------------------------------------------
+1 for the path
> Unauthorized user can get access to admin pages by pointing to their URLs
> -------------------------------------------------------------------------
>
> Key: AMBARI-16436
> URL: https://issues.apache.org/jira/browse/AMBARI-16436
> Project: Ambari
> Issue Type: Bug
> Components: ambari-web
> Affects Versions: 2.4.0
> Reporter: Antonenko Alexander
> Assignee: Antonenko Alexander
> Priority: Critical
> Fix For: 2.4.0
>
> Attachments: AMBARI-16436.patch
>
>
> # As Ambari admin, create a user and provide "Cluster User" role. On my cluster the user is named *cluser*
> # Login with the newly created user account
> # Type the URL of some of the pages where "cluster user" is not allowed access like:
> -- /views/ADMIN_VIEW/2.4.0.0/INSTANCE/#/
> -- /#/main/admin/serviceAccounts
> -- /#/main/admin/kerberos
> and so on
> Note - In some cases you may have to load the page twice after typing the URL
> *Result*: The pages are accessible. In one case, it allowed me to rename the cluster from Admin page too.
> Tried few other operations too with cluster user like create user, change user group, but so far none of them is successful. Even though UI permitted them.
> This presents a security risk as unauthorized users may still have access to undesirable piece of information.
> It would be good to point them to the home page in case they try accessing a page that they are not allowed to
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)