Issue Tracker: Issueshttps://issues.rudder.io/https://issues.rudder.io/themes/rudder7/favicon/favicon.ico?17096450182024-03-22T17:51:08ZIssue Tracker
Redmine API authorizations - Bug #24585 (Pending release): API authorization menu has two different icons...https://issues.rudder.io/issues/245852024-03-22T17:51:08ZClark ANDRIANASOLO
<p>... one is a chevron and another is an arrow tip ...</p> API authorizations - Bug #24433 (Pending release): API authorization menu bellow username is bare...https://issues.rudder.io/issues/244332024-03-13T12:52:26ZElaad FURREEDAN
<p><img src="https://issues.rudder.io/attachments/download/2878/clipboard-202403131350-taxt7.png" alt="" loading="lazy" /><br /><img src="https://issues.rudder.io/attachments/download/2879/clipboard-202403131351-jk7ga.png" alt="" loading="lazy" /></p> Authentication backends - Enhancement #24393 (New): Add an OIDC attribute mapping for seting tena...https://issues.rudder.io/issues/243932024-03-09T19:21:26ZFrançois ARMANDfrancois.armand@rudder.io
<p>We can set user role, but not user tenants from IdP settings. We will need to have the same kind of logic that for role provisioning for tenants.</p> Authentication backends - Bug #24364 (Pending release): Remove RPKG variable that creates plugin ...https://issues.rudder.io/issues/243642024-03-07T11:28:12ZVincent MEMBRÉvme@rudder.ioAuthentication backends - Bug #24344 (Pending release): Merge user-management and auth-backend pl...https://issues.rudder.io/issues/243442024-03-06T09:50:28ZClark ANDRIANASOLO
<p>We backported users table and OIDC feature and made changes on top of <a class="issue tracker-4 status-11 priority-16 priority-default child" title="Architecture: Backport user in base for plugins (Pending release)" href="https://issues.rudder.io/issues/24148">#24148</a> to the user-management dashboard</p>
<p>We want to merge the current feature branch to 7.3</p> Authentication backends - Bug #24296 (Pending release): Log on user api authorizations should use...https://issues.rudder.io/issues/242962024-02-29T17:08:21ZClark ANDRIANASOLO
<p>The usage of direct string interpolation on <code>ACL</code> element prints a hardly readable string, we should use a specific <code>debugString</code> method from Rudder</p> Authentication backends - Bug #24247 (Pending release): Authentication protocol names should be n...https://issues.rudder.io/issues/242472024-02-26T15:45:46ZClark ANDRIANASOLO
<p>They should be the same as "provider" names as declared in the Rudder configuration file : <br /><pre><code>
rudder.auth.provider=file,oidc,ldap
</code></pre></p>
<p>The value is the one directly written in the column <code>managedby</code> for the database table <code>users</code> later, but when reading it back we don't want to worry about case-sensitivity.</p> Authentication backends - Bug #24218 (New): Fix UI issues caused by bootstrap update in auth-back...https://issues.rudder.io/issues/242182024-02-19T16:53:58ZRaphael GAUTHIER
<p>We've made a first pass at fixing all bugs that were blocking certain actions in the interface on this plugin, now we need to fix the aesthetic ones.</p> Authentication backends - Bug #24202 (Pending release): No API right with OIDC provided roleshttps://issues.rudder.io/issues/242022024-02-16T09:28:05ZClark ANDRIANASOLO
<p>Port of <a class="issue tracker-4 status-11 priority-16 priority-default child" title="Architecture: No API right with aliased roles (Pending release)" href="https://issues.rudder.io/issues/24189">#24189</a> for 7.3</p> Authentication backends - Architecture #24189 (Pending release): No API right with aliased roleshttps://issues.rudder.io/issues/241892024-02-14T10:04:12ZFrançois ARMANDfrancois.armand@rudder.io
<p>It seems that an aliased role permission is not correctly carried to API endpoints.</p>
<p>When log with an aliased administrator, trying to go to user management plugin, I get:</p>
<pre>
[2024-02-14 10:58:59+0100] DEBUG auth-backends - Identifying OIDC user info with sub: '00u3smso2m5zF2jom5d7' on rudder user base using login: 'francois@rudder.io'
[2024-02-14 10:58:59+0100] TRACE auth-backends - IdP configuration has registered role mapping: [(rudder_admin,administrator); (rudder_readonly,readonly)]
[2024-02-14 10:58:59+0100] DEBUG auth-backends - Role 'role-oidc-a' does not match any Rudder role, ignoring it for user francois@rudder.io
[2024-02-14 10:58:59+0100] DEBUG auth-backends - Role 'role-oidc-b' does not match any Rudder role, ignoring it for user francois@rudder.io
[2024-02-14 10:58:59+0100] DEBUG auth-backends - Principal 'francois@rudder.io': mapping IdP provided role 'rudder_admin' to Rudder role 'administrator'
[2024-02-14 10:58:59+0100] INFO application.authorization - Principal 'francois@rudder.io' role list extended with OIDC provided roles: [rudder_admin(administrator)] (override: true)
[2024-02-14 10:58:59+0100] DEBUG auth-backends - Principal 'francois@rudder.io' final list of roles: [administrator]
[2024-02-14 10:58:59+0100] INFO application - Rudder authentication attempt for principal 'francois@rudder.io' with backend 'oidc': success
[2024-02-14 10:58:59+0100] INFO compliance - [metrics] global compliance (number of components): 6388 [p:6196 s:0 r:0 e:0 u:0 m:0 nr:192 na:0 rd:0 c:0 ana:0 nc:0 ae:0 bpm:0]
[2024-02-14 10:59:04+0100] ERROR api-processing - Authorization error for 'GET secure/api/usermanagement/users': User 'francois@rudder.io' is not allowed to access GET secure/api/usermanagement/users
[2024-02-14 10:59:04+0100] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'francois@rudder.io' is not allowed to access GET secure/api/usermanagement/users"
</pre>
<p>But perhaps it's just an instance of: <a class="external" href="https://issues.rudder.io/issues/23254">https://issues.rudder.io/issues/23254</a></p> Authentication backends - User story #24182 (Pending release): Add a role mapping and filtering f...https://issues.rudder.io/issues/241822024-02-09T16:58:32ZFrançois ARMANDfrancois.armand@rudder.io
<p>We would like to be able to restriect the list of role an IdP can address, and allow a mapping between the names used by the IdP and Rudder internal names.</p>
<p>The config and could look like:</p>
<pre>
rudder.auth.oauth2.provider.okta.roles.mapping.enforced=true
rudder.auth.oauth2.provider.okta.roles.mapping.entitlements.rudder_admin=administrator
rudder.auth.oauth2.provider.okta.roles.mapping.entitlements.rudder_readonly=readonly
</pre>
<p>(if enforced is true, we only are allowed to use the roles from entitlements, else entitlements are additionnal aliases)</p>
<p><img src="https://issues.rudder.io/attachments/download/2792/clipboard-202402091756-gk0bf.png" alt="" loading="lazy" /></p> Authentication backends - Bug #24130 (New): Stack trace on bad OAuth2 confighttps://issues.rudder.io/issues/241302024-02-02T08:07:45ZFrançois ARMANDfrancois.armand@rudder.io
<p>On some scenario, if the user misconfigured oauth scope, he gets a stack trace. We don't want stack traces:</p>
<pre>
[2024-02-02 08:30:49+0100] DEBUG auth-backends - Processing OAuth2/OIDC authorisation validation and starting authentication request
[2024-02-02 08:30:49+0100] INFO application - Rudder authentication attempt for principal 'unknown' with backend 'oauth2': failure
[2024-02-02 08:30:49+0100] WARN application - Login authentication failed for user 'unknown' from IP '127.0.0.1|X-Forwarded-For:10.84.103.142': [invalid_scope] Unknown/invalid scope(s)
[2024-02-02 08:30:54+0100] ERROR org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter - Authorization Request failed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: [authorization_request_build>
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [authorization_request_build_error] Invalid Client Registration with Id: weni
at bootstrap.rudder.plugin.RudderDefaultOAuth2AuthorizationRequestResolver.cleanResolve(AuthBackendsConf.scala:449)
at bootstrap.rudder.plugin.RudderDefaultOAuth2AuthorizationRequestResolver.resolve(AuthBackendsConf.scala:472)
at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:167)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:55)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:112)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:82)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346)
at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:221)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)
at bootstrap.liftweb.LiftSpringSecurityFilter.doFilter(LiftSpringSecurityFilter.scala:59)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:210)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1383)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1544)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1305)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:149)
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:51)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
at org.eclipse.jetty.server.Server.handle(Server.java:563)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
</pre> Authentication backends - Bug #23314 (New): Update role overriding warning based on actual OIDC c...https://issues.rudder.io/issues/233142023-08-18T12:29:13ZFrançois ARMANDfrancois.armand@rudder.io
<p>Once <a class="external" href="https://issues.rudder.io/issues/23313">https://issues.rudder.io/issues/23313</a> is done, we can update the warning message to let the user know if the user list can actually be change, and how (extends/overrides).</p> API authorizations - Bug #20859 (Pending release): Prevent acl categories to fold when we click o...https://issues.rudder.io/issues/208592022-03-04T11:38:02ZRaphael GAUTHIER
<p>We can fold/unfold acl categories by clicking on their name, but we don't want to fold/unfold them by clicking on the All or None buttons.</p> API authorizations - Bug #17712 (Pending release): Missing branding API (and others?) in API auth...https://issues.rudder.io/issues/177122020-06-10T16:49:41ZFrançois ARMANDfrancois.armand@rudder.io
<p>When other plugins are loaded with <code>api authz</code> plugin, all their API are listed in the list of restricted api. But that's not the case for branding, and perhaps others.</p>
<p>There is no obvious difference between branding (not listed) and datasources for ex (listed).</p>