[jira] [Updated] (AMBARI-17401) Service actions are available via firepath even if not visible on UI (RBAC)

Antonenko Alexander (JIRA) Thu, 23 Jun 2016 05:45:13 -0700

     [ 
https://issues.apache.org/jira/browse/AMBARI-17401?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Antonenko Alexander updated AMBARI-17401:
-----------------------------------------
    Resolution: Fixed
        Status: Resolved  (was: Patch Available)

committed to trunk and branch-2.4


> Service actions are available via firepath even if not visible on UI (RBAC)
> ---------------------------------------------------------------------------
>
>                 Key: AMBARI-17401
>                 URL: https://issues.apache.org/jira/browse/AMBARI-17401
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-web
>    Affects Versions: 2.4.0
>            Reporter: Antonenko Alexander
>            Assignee: Antonenko Alexander
>            Priority: Critical
>             Fix For: 2.4.0
>
>         Attachments: AMBARI-17401.patch
>
>
> Login as a service operator. (He is not allowed to move components)
> Move to services tab, move to MapReduce service. Now with firepath search for 
> xpath : //a[text()='Move History Server']. Even though it is not visible, it 
> is accessible via UI elements. Anyone with this knowledge can run a script to 
> do move components to different hosts (My selenium test successfully ran for 
> service operator.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (AMBARI-17401) Service actions are available via firepath even if not visible on UI (RBAC)

Reply via email to