Project

General

Profile

Actions

Bug #12440

closed

When the api authorization plugin is disabled tokens become read only

Added by Benoît PECCATTE over 6 years ago. Updated almost 5 years ago.

Status:
Released
Priority:
N/A
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Infrequent - complex configurations | third party integrations
Effort required:
Very Small
Priority:
78
Name check:
Fix check:
Regression:

Description

This could be a security problem if the token had restricted read rights, the token then have full access.
The token could instead be interpreted as disabled.


Related issues 1 (0 open1 closed)

Related to Rudder - User story #12111: Make fine-grained API authorization a pluginReleasedFrançois ARMANDActions
Actions #1

Updated by François ARMAND over 6 years ago

Actions #2

Updated by François ARMAND over 6 years ago

See comment/implementation on PR for #12111: https://github.com/Normation/rudder/pull/1858

Actions #3

Updated by François ARMAND over 6 years ago

Actions #4

Updated by François ARMAND over 6 years ago

Actions #5

Updated by Alexis Mousset over 6 years ago

  • Subject changed from When the api aithorization plugin is disabled tokens become read only to When the api authorization plugin is disabled tokens become read only
Actions #6

Updated by Benoît PECCATTE over 6 years ago

  • Project changed from 53 to Rudder
  • Category set to 102
  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • User visibility set to Infrequent - complex configurations | third party integrations
  • Priority changed from 0 to 64
Actions #7

Updated by Benoît PECCATTE over 6 years ago

  • Assignee set to Vincent MEMBRÉ
Actions #8

Updated by Vincent MEMBRÉ over 6 years ago

  • Project changed from Rudder to API authorizations
  • Category deleted (102)
  • Target version set to 444
  • Priority changed from 64 to 62
Actions #9

Updated by François ARMAND about 6 years ago

  • Effort required set to Very Small
  • Priority changed from 62 to 86
Actions #10

Updated by François ARMAND about 6 years ago

Need ot be checked again for the actual status.

"Disable" is better than intersection of "read /\ acls rights" because muech simpler to understand for the user.

Actions #11

Updated by François ARMAND almost 6 years ago

  • Assignee changed from Vincent MEMBRÉ to François ARMAND
  • Priority changed from 86 to 82
Actions #12

Updated by François ARMAND about 5 years ago

  • Target version changed from 444 to 5.0-1.5
  • Priority changed from 82 to 78
Actions #13

Updated by François ARMAND about 5 years ago

  • Status changed from New to In progress
Actions #14

Updated by François ARMAND about 5 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Nicolas CHARLES
  • Pull Request set to https://github.com/Normation/rudder/pull/2578
Actions #15

Updated by François ARMAND about 5 years ago

  • Status changed from Pending technical review to Pending release
Actions #16

Updated by Vincent MEMBRÉ almost 5 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 5.0-1.5 which was released today.

Actions

Also available in: Atom PDF