[
https://issues.apache.org/jira/browse/AMBARI-16436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Antonenko Alexander updated AMBARI-16436:
-----------------------------------------
Status: Patch Available (was: Open)
> Unauthorized user can get access to admin pages by pointing to their URLs
> -------------------------------------------------------------------------
>
> Key: AMBARI-16436
> URL: https://issues.apache.org/jira/browse/AMBARI-16436
> Project: Ambari
> Issue Type: Bug
> Components: ambari-web
> Affects Versions: 2.4.0
> Reporter: Antonenko Alexander
> Assignee: Antonenko Alexander
> Priority: Critical
> Fix For: 2.4.0
>
> Attachments: AMBARI-16436.patch
>
>
> # As Ambari admin, create a user and provide "Cluster User" role. On my
> cluster the user is named *cluser*
> # Login with the newly created user account
> # Type the URL of some of the pages where "cluster user" is not allowed
> access like:
> -- /views/ADMIN_VIEW/2.4.0.0/INSTANCE/#/
> -- /#/main/admin/serviceAccounts
> -- /#/main/admin/kerberos
> and so on
> Note - In some cases you may have to load the page twice after typing the URL
> *Result*: The pages are accessible. In one case, it allowed me to rename the
> cluster from Admin page too.
> Tried few other operations too with cluster user like create user, change
> user group, but so far none of them is successful. Even though UI permitted
> them.
> This presents a security risk as unauthorized users may still have access to
> undesirable piece of information.
> It would be good to point them to the home page in case they try accessing a
> page that they are not allowed to
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
