Robert Levas created AMBARI-17740: ------------------------------------- Summary: Cluster user role is permitted to install packages using API Key: AMBARI-17740 URL: https://issues.apache.org/jira/browse/AMBARI-17740 Project: Ambari Issue Type: Bug Components: ambari-server Affects Versions: 2.4.0 Reporter: Robert Levas Assignee: Robert Levas Fix For: 2.4.0
With "Cluster User" role, submitting "install packages" API call goes through, even though it should be blocked {code} #curl -u cu:1234 -H "X-Requested-By: ambari" -i -X POST http://ambari-server:8080/api/v1/clusters/cl1/stack_versions -d '{"ClusterStackVersions":{"stack":"HDP","version":"2.3","repository_version":"2.3.0.0"}}' HTTP/1.1 202 Accepted Date: Wed, 29 Jun 2016 05:55:16 GMT X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Set-Cookie: AMBARISESSIONID=11njwu8py6m511511liub068vj;Path=/;HttpOnly Expires: Thu, 01 Jan 1970 00:00:00 GMT User: cu Content-Type: text/plain Vary: Accept-Encoding, User-Agent Content-Length: 136 Server: Jetty(9.2.11.v20150529) { "href" : "http://ambari-server:8080/api/v1/clusters/cl1/requests/36", "Requests" : { "id" : 36, "status" : "Accepted" } } {code} Role of the user "cu" {code} { "href" : "http://ambari-server:8080/api/v1/users/cu/privileges/7", "PrivilegeInfo" : { "cluster_name" : "cl1", "permission_label" : "Cluster User", "permission_name" : "CLUSTER.USER", "principal_name" : "cu", "principal_type" : "USER", "privilege_id" : 7, "type" : "CLUSTER", "user_name" : "cu" } } {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)