[
https://issues.apache.org/jira/browse/AMBARI-21016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16010550#comment-16010550
]
Jonathan Hurley commented on AMBARI-21016:
------------------------------------------
That's what I was suggesting; if you invalidate the entire session then the
next poll from the web client will return a 401 and the user will be booted to
the login screen automatically.
> RBAC:Ambari should be sensitve to the change of login user's permissions.
> -------------------------------------------------------------------------
>
> Key: AMBARI-21016
> URL: https://issues.apache.org/jira/browse/AMBARI-21016
> Project: Ambari
> Issue Type: Improvement
> Components: ambari-web
> Affects Versions: trunk
> Reporter: Yao Lei
> Assignee: Yao Lei
> Priority: Minor
> Fix For: trunk
>
> Attachments: AMBARI-21016.patch
>
>
> Steps to reproduce:
> 1.Login ambari with ambari administrator role and create a user named Test on
> host A.
> 2.Assign service administrator role(or any other one of five roles) to this
> user Test.
> 3.On host B, login ambari with user Test .Now it plays as a service
> administrato role.
> 4.On host A, unassign the role of user Test , or change the role to another
> one, or even delete this user.
> 5.On host B, we will find the user Test can continue to operate ambari with
> previous permissions as a service administrator which actually have already
> changed by step 4.
> Except for on two different hosts, we also can reproduce this problem between
> two different browsers on local host.
> One solution:
> Periodly schedule a task to update current user's authorization. If any error
> happens in this process, we should log off current user.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
