Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-25201

Updating a user's password does not validate the administrator's current password.

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      When updating a user's password as an Ambari Administrator via the UI, the acting administrator user is prompted for their password...

      The password is never validated by the backend to end sure it is correct for the acting user. Either the text box needs to be removed from the UI, or the backend should verify the administrator's password before changing the user's password.

      The current implementation does require that if the acting user is not an Ambari Administrator user, the acting user may only change their own password and must supply their current password as well as the new password:

      Example:

      curl -H "X-Requested-By:ambari"  -u user_a:hadoop -X PUT -d '{ "Users" : { "old_password" : "hadoop", "password" : "hadoop_1234" } }' http://localhost:8080/api/v1/users/user_a
      

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            bsari Balázs Bence Sári
            rlevas Robert Levas
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1h 10m
                1h 10m

                Slack

                  Issue deployment