[ https://issues.apache.org/jira/browse/AMBARI-17740?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Levas updated AMBARI-17740: ---------------------------------- Status: Patch Available (was: In Progress) > Cluster user role is permitted to install packages using API > ------------------------------------------------------------ > > Key: AMBARI-17740 > URL: https://issues.apache.org/jira/browse/AMBARI-17740 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: 2.4.0 > Reporter: Robert Levas > Assignee: Robert Levas > Labels: rbac > Fix For: 2.4.0 > > Attachments: AMBARI-17740_branch-2.4_01.patch, > AMBARI-17740_trunk_01.patch > > > With "Cluster User" role, submitting "install packages" API call goes > through, even though it should be blocked > {code} > #curl -u cu:1234 -H "X-Requested-By: ambari" -i -X POST > http://ambari-server:8080/api/v1/clusters/cl1/stack_versions -d > '{"ClusterStackVersions":{"stack":"HDP","version":"2.3","repository_version":"2.3.0.0"}}' > HTTP/1.1 202 Accepted > Date: Wed, 29 Jun 2016 05:55:16 GMT > X-Frame-Options: DENY > X-XSS-Protection: 1; mode=block > Set-Cookie: AMBARISESSIONID=11njwu8py6m511511liub068vj;Path=/;HttpOnly > Expires: Thu, 01 Jan 1970 00:00:00 GMT > User: cu > Content-Type: text/plain > Vary: Accept-Encoding, User-Agent > Content-Length: 136 > Server: Jetty(9.2.11.v20150529) > { > "href" : "http://ambari-server:8080/api/v1/clusters/cl1/requests/36", > "Requests" : { > "id" : 36, > "status" : "Accepted" > } > } > {code} > Role of the user "cu" > {code} > { > "href" : "http://ambari-server:8080/api/v1/users/cu/privileges/7", > "PrivilegeInfo" : { > "cluster_name" : "cl1", > "permission_label" : "Cluster User", > "permission_name" : "CLUSTER.USER", > "principal_name" : "cu", > "principal_type" : "USER", > "privilege_id" : 7, > "type" : "CLUSTER", > "user_name" : "cu" > } > } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)