Antonenko Alexander created AMBARI-16436:
--------------------------------------------
Summary: Unauthorized user can get access to admin pages by
pointing to their URLs
Key: AMBARI-16436
URL: https://issues.apache.org/jira/browse/AMBARI-16436
Project: Ambari
Issue Type: Bug
Components: ambari-web
Affects Versions: 2.4.0
Reporter: Antonenko Alexander
Assignee: Antonenko Alexander
Priority: Critical
Fix For: 2.4.0
# As Ambari admin, create a user and provide "Cluster User" role. On my cluster
the user is named *cluser*
# Login with the newly created user account
# Type the URL of some of the pages where "cluster user" is not allowed access
like:
-- /views/ADMIN_VIEW/2.4.0.0/INSTANCE/#/
-- /#/main/admin/serviceAccounts
-- /#/main/admin/kerberos
and so on
Note - In some cases you may have to load the page twice after typing the URL
*Result*: The pages are accessible. In one case, it allowed me to rename the
cluster from Admin page too.
Tried few other operations too with cluster user like create user, change user
group, but so far none of them is successful. Even though UI permitted them.
This presents a security risk as unauthorized users may still have access to
undesirable piece of information.
It would be good to point them to the home page in case they try accessing a
page that they are not allowed to
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
