[
https://issues.apache.org/jira/browse/AMBARI-21016?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yao Lei updated AMBARI-21016:
-----------------------------
Description:
Steps to reproduce:
1.Login ambari with ambari administrator role and create a user named Test on
host A.
2.Assign service administrator role(or any other one of five roles) to this
user Test.
3.On host B, login ambari with user Test .Now it plays as a service
administrato role.
4.On host A, unassign the role of user Test , or change the role to another
one, or even delete this user.
5.On host B, we will find the user Test can continue to operate ambari with
previous permissions as a service administrator which actually have already
changed by step 4.
Except for on two different hosts, we also can reproduce this problem between
two different browsers on local host.
One solution:
Periodly schedule a task to update current user's authorization. If receive an
unauthorized acess exception or even user is deleted, we should log off current
user.
was:
Steps to reproduce:
1.Login ambari with ambari administrator role and create a user named Test on
host A.
2.Assign service administrator role(or any other one of five roles) to this
user Test.
3.On host B, login ambari with user Test .Now it plays as a service
administrato role.
4.On host A, unassign the role of user Test , or change the role to another
one, or even delete this user.
5.On host B, we will find the user Test can continue to operate ambari with
previous permissions as a service administrator which actually have already
changed by step 4.
Except for on two different hosts, we also can reproduce this problem between
two different browsers on local host.
One solution:
Periodly schedule a task to update current user's authorization. If any error
happens in this process, we should log off current user.
> RBAC:Ambari should be sensitve to the change of login user's permissions.
> -------------------------------------------------------------------------
>
> Key: AMBARI-21016
> URL: https://issues.apache.org/jira/browse/AMBARI-21016
> Project: Ambari
> Issue Type: Improvement
> Components: ambari-web
> Affects Versions: 2.5.0
> Reporter: Yao Lei
> Assignee: Yao Lei
> Priority: Minor
> Fix For: 2.5.1
>
> Attachments: AMBARI-21016.1.patch, AMBARI-21016.patch
>
>
> Steps to reproduce:
> 1.Login ambari with ambari administrator role and create a user named Test on
> host A.
> 2.Assign service administrator role(or any other one of five roles) to this
> user Test.
> 3.On host B, login ambari with user Test .Now it plays as a service
> administrato role.
> 4.On host A, unassign the role of user Test , or change the role to another
> one, or even delete this user.
> 5.On host B, we will find the user Test can continue to operate ambari with
> previous permissions as a service administrator which actually have already
> changed by step 4.
> Except for on two different hosts, we also can reproduce this problem between
> two different browsers on local host.
> One solution:
> Periodly schedule a task to update current user's authorization. If receive
> an unauthorized acess exception or even user is deleted, we should log off
> current user.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
