Project

General

Profile

Bug #12440

When the api authorization plugin is disabled tokens become read only

Added by Benoît PECCATTE about 1 year ago. Updated 4 months ago.

Status:
New
Priority:
N/A
Target version:
Pull Request:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Infrequent - complex configurations | third party integrations
Effort required:
Very Small
Priority:
82

Description

This could be a security problem if the token had restricted read rights, the token then have full access.
The token could instead be interpreted as disabled.


Related issues

Related to Rudder - User story #12111: Make fine-grained API authorization a pluginReleasedActions

History

#1

Updated by François ARMAND about 1 year ago

#2

Updated by François ARMAND about 1 year ago

See comment/implementation on PR for #12111: https://github.com/Normation/rudder/pull/1858

#3

Updated by François ARMAND about 1 year ago

#4

Updated by François ARMAND about 1 year ago

#5

Updated by Alexis MOUSSET about 1 year ago

  • Subject changed from When the api aithorization plugin is disabled tokens become read only to When the api authorization plugin is disabled tokens become read only
#6

Updated by Benoît PECCATTE 11 months ago

  • Project changed from Private plugins common to Rudder
  • Category set to 102
  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • User visibility set to Infrequent - complex configurations | third party integrations
  • Priority changed from 0 to 64
#7

Updated by Benoît PECCATTE 11 months ago

  • Assignee set to Vincent MEMBRÉ
#8

Updated by Vincent MEMBRÉ 9 months ago

  • Project changed from Rudder to API Authorizations
  • Category deleted (102)
  • Target version set to 4.3-1.3
  • Priority changed from 64 to 62
#9

Updated by François ARMAND 7 months ago

  • Effort required set to Very Small
  • Priority changed from 62 to 86
#10

Updated by François ARMAND 7 months ago

Need ot be checked again for the actual status.

"Disable" is better than intersection of "read /\ acls rights" because muech simpler to understand for the user.

#11

Updated by François ARMAND 4 months ago

  • Assignee changed from Vincent MEMBRÉ to François ARMAND
  • Priority changed from 86 to 82

Also available in: Atom PDF