[AMBARI-17740] Cluster user role is permitted to install packages using API - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.4.0
Fix Version/s: 2.4.0
Component/s: ambari-server
Labels:
- rbac

Description

With "Cluster User" role, submitting "install packages" API call goes through, even though it should be blocked

#curl -u cu:1234 -H "X-Requested-By: ambari" -i -X  POST http://ambari-server:8080/api/v1/clusters/cl1/stack_versions -d '{"ClusterStackVersions":{"stack":"HDP","version":"2.3","repository_version":"2.3.0.0"}}'
HTTP/1.1 202 Accepted
Date: Wed, 29 Jun 2016 05:55:16 GMT
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Set-Cookie: AMBARISESSIONID=11njwu8py6m511511liub068vj;Path=/;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
User: cu
Content-Type: text/plain
Vary: Accept-Encoding, User-Agent
Content-Length: 136
Server: Jetty(9.2.11.v20150529)

{
  "href" : "http://ambari-server:8080/api/v1/clusters/cl1/requests/36",
  "Requests" : {
    "id" : 36,
    "status" : "Accepted"
  }
}

Role of the user "cu"

{
  "href" : "http://ambari-server:8080/api/v1/users/cu/privileges/7",
  "PrivilegeInfo" : {
    "cluster_name" : "cl1",
    "permission_label" : "Cluster User",
    "permission_name" : "CLUSTER.USER",
    "principal_name" : "cu",
    "principal_type" : "USER",
    "privilege_id" : 7,
    "type" : "CLUSTER",
    "user_name" : "cu"
  }
}

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

AMBARI-17740_trunk_01.patch
16/Jul/16 00:25
14 kB
Robert Levas
AMBARI-17740_branch-2.4_01.patch
16/Jul/16 00:25
14 kB
Robert Levas

Issue Links

links to

ReviewBoard

Activity

People

Assignee:: Robert Levas

Reporter:: Robert Levas

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 15/Jul/16 16:16

Updated:: 20/Jul/16 00:16

Resolved:: 19/Jul/16 19:42