[ https://issues.apache.org/jira/browse/RANGER-2130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mehul Parikh resolved RANGER-2130. ---------------------------------- Resolution: Not A Bug > Ranger Admin - client-side control bypass > ----------------------------------------- > > Key: RANGER-2130 > URL: https://issues.apache.org/jira/browse/RANGER-2130 > Project: Ranger > Issue Type: Bug > Components: admin > Affects Versions: 1.0.0 > Reporter: t oo > Assignee: Nitin Galave > Priority: Major > Attachments: 0001-RANGER-2130.patch, Screen Shot 2018-06-11 at > 10.36.39 am.png, client_side_controls1.PNG, client_side_controls2.PNG > > > *Risk/Issue summary finding* > {code:java} > Client-side Control Bypass (Ranger){code} > *Risk/Issue summary description/detail* > {code:java} > The Apache Ranger application relies on client-side controls to restrict user > access to certain information and functionality. A user can bypass these > controls (by modifying client-side parameters or directly browsing to > specific API requests or resources) to view information without the required > authorisation. > The attached screenshots show the "admin" user bypassing client-side controls > to modify their Role from "User" to "Admin". Whilst submitting this request > is unsuccessful and will not permanently change the user role, the GUI allows > access to sections that were previously hidden.{code} > *Business impact / attack scenario* > {code:java} > Low privilege users with restricted access are able to view information that > is not intended for their viewing. As an example, the admin user can bypass > client side controls to view configuration details for the HIVE_RANGER_E2E > hive object. {code} > *Recommendation* > {code:java} > Do not rely on client-side controls to restrict user access. Ensure that > server-side controls are in place to restrict unauthorised access to > sensitive information and APIs. {code} > > In the rangeradmin ui, on the users page, after clicking on a user. If you > edit the html on the site (ie in Chrome) you can remove the 'disabled' tag so > that the role of User becomes ungreyed out and you can change the role from > User to Admin! -- This message was sent by Atlassian JIRA (v7.6.3#76005)