[RANGER-3616] Security Risk. ugsync API can create a hidden user. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.0.0, 2.2.0
Fix Version/s: None
Component/s: Ranger, usersync
Labels:
None

Description

We can use REST API /service/xusers/ugsync/users to create a User without

userRoleList. And the user is hidden in Ranger Admin User List.

#] curl -u: --negotiate --header 'Content-Type: application/json' --data '{"vXUsers" :[

{"name":"hehe", "description" : "hehe", "syncSorce": "Unix"}

], "totalCount" : 1}' 'http://kirbytest01.sa:6080/service/xusers/ugsync/users'

1

The user "hehe" is created, but can not be seen at WebUI

But it be used at policies, it should be a security risk.

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

截屏2022-02-11 上午10.24.27.jpg
11/Feb/22 02:27
253 kB
kirby zhou
截屏2022-02-11 上午10.23.40.jpg
11/Feb/22 02:27
111 kB
kirby zhou

Activity

People

Assignee:: Unassigned

Reporter:: kirby zhou

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 11/Feb/22 02:27

Updated:: 11/Feb/22 02:28