[
https://issues.apache.org/jira/browse/AMBARI-21016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16010196#comment-16010196
]
Robert Levas edited comment on AMBARI-21016 at 5/15/17 9:08 AM:
----------------------------------------------------------------
[~yaolei],
I agree that the REST API call to retrieve a user's permissions will always so
the correct set of permissions, however I think that the user information
stored in session on the backend, which is used to authorization checks, will
not be updated until the session is cleared. The easiest way to do this is to
log out and log back in. So I still think you will see issues since the
frontend and the backend will be out of sync.
was (Author: rlevas):
[~yaolei],
I agree that the REST API call to retrieve a user's permissions will always so
the correct set of permissions, however I think that the user information
stored in session on the backend will not be updated until the session is
cleared. The easiest way to do this is to log out and log back in. So I still
think you will see issues since the frontend and the backend will be out of
sync.
> RBAC:Ambari should be sensitve to the change of login user's permissions.
> -------------------------------------------------------------------------
>
> Key: AMBARI-21016
> URL: https://issues.apache.org/jira/browse/AMBARI-21016
> Project: Ambari
> Issue Type: Improvement
> Components: ambari-web
> Affects Versions: trunk
> Reporter: Yao Lei
> Assignee: Yao Lei
> Priority: Minor
> Fix For: trunk
>
> Attachments: AMBARI-21016.patch
>
>
> Steps to reproduce:
> 1.Login ambari with ambari administrator role and create a user named Test on
> host A.
> 2.Assign service administrator role(or any other one of five roles) to this
> user Test.
> 3.On host B, login ambari with user Test .Now it plays as a service
> administrato role.
> 4.On host A, unassign the role of user Test , or change the role to another
> one, or even delete this user.
> 5.On host B, we will find the user Test can continue to operate ambari with
> previous permissions as a service administrator which actually have already
> changed by step 4.
> Except for on two different hosts, we also can reproduce this problem between
> two different browsers on local host.
> One solution:
> Periodly schedule a task to update current user's authorization. If any error
> happens in this process, we should log off current user.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
