You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2016/07/16 07:02:20 UTC

[jira] [Commented] (AMBARI-17740) Cluster user role is permitted to install packages using API

    [ https://issues.apache.org/jira/browse/AMBARI-17740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15380573#comment-15380573 ] 

Hadoop QA commented on AMBARI-17740:
------------------------------------

{color:green}+1 overall{color}.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12818276/AMBARI-17740_trunk_01.patch
  against trunk revision .

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:green}+1 tests included{color}.  The patch appears to include 1 new or modified test files.

    {color:green}+1 javac{color}.  The applied patch does not increase the total number of javac compiler warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase the total number of release audit warnings.

    {color:green}+1 core tests{color}.  The patch passed unit tests in ambari-server.

Test results: https://builds.apache.org/job/Ambari-trunk-test-patch/7884//testReport/
Console output: https://builds.apache.org/job/Ambari-trunk-test-patch/7884//console

This message is automatically generated.

> Cluster user role is permitted to install packages using API
> ------------------------------------------------------------
>
>                 Key: AMBARI-17740
>                 URL: https://issues.apache.org/jira/browse/AMBARI-17740
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.4.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: rbac
>             Fix For: 2.4.0
>
>         Attachments: AMBARI-17740_branch-2.4_01.patch, AMBARI-17740_trunk_01.patch
>
>
> With "Cluster User" role, submitting "install packages" API call goes through, even though it should be blocked
> {code}
> #curl -u cu:1234 -H "X-Requested-By: ambari" -i -X  POST http://ambari-server:8080/api/v1/clusters/cl1/stack_versions -d '{"ClusterStackVersions":{"stack":"HDP","version":"2.3","repository_version":"2.3.0.0"}}'
> HTTP/1.1 202 Accepted
> Date: Wed, 29 Jun 2016 05:55:16 GMT
> X-Frame-Options: DENY
> X-XSS-Protection: 1; mode=block
> Set-Cookie: AMBARISESSIONID=11njwu8py6m511511liub068vj;Path=/;HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> User: cu
> Content-Type: text/plain
> Vary: Accept-Encoding, User-Agent
> Content-Length: 136
> Server: Jetty(9.2.11.v20150529)
> {
>   "href" : "http://ambari-server:8080/api/v1/clusters/cl1/requests/36",
>   "Requests" : {
>     "id" : 36,
>     "status" : "Accepted"
>   }
> }
> {code}
> Role of the user "cu"
> {code}
> {
>   "href" : "http://ambari-server:8080/api/v1/users/cu/privileges/7",
>   "PrivilegeInfo" : {
>     "cluster_name" : "cl1",
>     "permission_label" : "Cluster User",
>     "permission_name" : "CLUSTER.USER",
>     "principal_name" : "cu",
>     "principal_type" : "USER",
>     "privilege_id" : 7,
>     "type" : "CLUSTER",
>     "user_name" : "cu"
>   }
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)