[
https://issues.apache.org/jira/browse/AMBARI-25201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Balázs Bence Sári updated AMBARI-25201:
---------------------------------------
Resolution: Fixed
Status: Resolved (was: Patch Available)
> Updating a user's password does not validate the administrator's current
> password.
> ----------------------------------------------------------------------------------
>
> Key: AMBARI-25201
> URL: https://issues.apache.org/jira/browse/AMBARI-25201
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server, ambari-web
> Affects Versions: 2.7.0
> Reporter: Robert Levas
> Assignee: Balázs Bence Sári
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.7.4
>
> Attachments: image-2019-03-19-12-18-59-062.png
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> When updating a user's password as an Ambari Administrator via the UI, the
> acting administrator user is prompted for their password...
> !image-2019-03-19-12-18-59-062.png!
> The password is never validated by the backend to end sure it is correct for
> the acting user. Either the text box needs to be removed from the UI, or the
> backend should verify the administrator's password before changing the user's
> password.
> The current implementation does require that if the acting user is not an
> Ambari Administrator user, the acting user may only change their own password
> and must supply their current password as well as the new password:
> Example:
> {noformat}
> curl -H "X-Requested-By:ambari" -u user_a:hadoop -X PUT -d '{ "Users" : {
> "old_password" : "hadoop", "password" : "hadoop_1234" } }'
> http://localhost:8080/api/v1/users/user_a
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
