Robert Levas created AMBARI-17740:
-------------------------------------
Summary: Cluster user role is permitted to install packages using
API
Key: AMBARI-17740
URL: https://issues.apache.org/jira/browse/AMBARI-17740
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.4.0
Reporter: Robert Levas
Assignee: Robert Levas
Fix For: 2.4.0
With "Cluster User" role, submitting "install packages" API call goes through,
even though it should be blocked
{code}
#curl -u cu:1234 -H "X-Requested-By: ambari" -i -X POST
http://ambari-server:8080/api/v1/clusters/cl1/stack_versions -d
'{"ClusterStackVersions":{"stack":"HDP","version":"2.3","repository_version":"2.3.0.0"}}'
HTTP/1.1 202 Accepted
Date: Wed, 29 Jun 2016 05:55:16 GMT
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Set-Cookie: AMBARISESSIONID=11njwu8py6m511511liub068vj;Path=/;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
User: cu
Content-Type: text/plain
Vary: Accept-Encoding, User-Agent
Content-Length: 136
Server: Jetty(9.2.11.v20150529)
{
"href" : "http://ambari-server:8080/api/v1/clusters/cl1/requests/36";,
"Requests" : {
"id" : 36,
"status" : "Accepted"
}
}
{code}
Role of the user "cu"
{code}
{
"href" : "http://ambari-server:8080/api/v1/users/cu/privileges/7";,
"PrivilegeInfo" : {
"cluster_name" : "cl1",
"permission_label" : "Cluster User",
"permission_name" : "CLUSTER.USER",
"principal_name" : "cu",
"principal_type" : "USER",
"privilege_id" : 7,
"type" : "CLUSTER",
"user_name" : "cu"
}
}
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
