Robert Levas created AMBARI-25201:
-------------------------------------
Summary: Updating a user's password does not validate the
administrator's current password.
Key: AMBARI-25201
URL: https://issues.apache.org/jira/browse/AMBARI-25201
Project: Ambari
Issue Type: Bug
Components: ambari-server, ambari-web
Affects Versions: 2.7.0
Reporter: Robert Levas
Assignee: Gabor Boros
Fix For: 2.7.4
Attachments: image-2019-03-19-12-18-59-062.png
When updating a user's password as an Ambari Administrator via the UI, the
acting administrator user is prompted for their password...
!image-2019-03-19-12-18-59-062.png!
The password is never validated by the backend to end sure it is correct for
the acting user. Either the text box needs to be removed from the UI, or the
backend should verify the administrator's password before changing the user's
password.
The current implementation does require that if the acting user is not an
Ambari Administrator user, the acting user may only change their own password
and must supply their current password as well as the new password:
Example:
{noformat}
curl -H "X-Requested-By:ambari" -u user_a:hadoop -X PUT -d '{ "Users" : {
"old_password" : "hadoop", "password" : "hadoop_1234" } }'
http://localhost:8080/api/v1/users/user_a
{noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
