Project

General

Profile

Actions

Bug #16386

closed

Technique edit authorizations don't allow technique editor use

Added by François ARMAND about 5 years ago. Updated almost 5 years ago.

Status:
Released
Priority:
N/A
Category:
Web - Technique editor
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Very Small
Priority:
102
Name check:
To do
Fix check:
Checked
Regression:

Description

When the have the user authorization plugin, admin can access the technique editor, but not an user with rights:

  <user name="alice" password="xxx" role="user,deployment_read,deployment_write,directive_read,directive_edit,directive_write,technique_read,technique_edit,technique_write,configuration_read" />

Then, in the Menu the "Utilities" points to hostname/rudder/secure/utilities/techniqueEditor and I'm getting error 404.
If I go directly to /rudder/secure/configurationManager/techniqueEditor, it does work.

Moreover, with the less authorized user, creating a technique leads to error:

 I have a dead link if I'm logging in with "normal-user" 
in the Menu the "Utilities" points to hostname/rudder/secure/utilities/techniqueEditor and I'm getting error 404
the /rudder/secure/configurationManager/techniqueEditor does work.

But the technique is actually created or updated!

Actions #1

Updated by François ARMAND about 5 years ago

Webapp logs:

[2019-12-10 14:47:06] ERROR api-processing - Authorization error for 'POST secure/api/ncf': User 'alice' is not allowed to access POST secure/api/ncf
[2019-12-10 14:47:06] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'alice' is not allowed to access POST secure/api/ncf" 
[2019-12-10 14:47:07] INFO  com.normation.cfclerk.services.impl.TechniqueRepositoryImpl - Reloading technique library, found modified technique(s): ['test': updated (1.0: VersionUpdated)]
[2019-12-10 14:47:08] INFO  com.normation.rudder.services.policies.DeployOnTechniqueCallback - Automatic batch update at 2019-12-10T14:47:05.603+01:00
Actions #2

Updated by Vincent MEMBRÉ about 5 years ago

  • Status changed from New to In progress
Actions #3

Updated by Vincent MEMBRÉ about 5 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Vincent MEMBRÉ to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/2671
Actions #4

Updated by Vincent MEMBRÉ about 5 years ago

  • Status changed from Pending technical review to Pending release
Actions #5

Updated by François ARMAND almost 5 years ago

  • Priority changed from 104 to 103

There is still a wrong redirection from utilities to techniqueEditor, but no more message. I'm opening an other ticket for the redirection.

Actions #6

Updated by François ARMAND almost 5 years ago

  • Fix check changed from To do to Checked
Actions #7

Updated by François ARMAND almost 5 years ago

  • Subject changed from Technique editor access authorization seems incorect to Technique edit authorizations don't allow technique editor use
Actions #8

Updated by Vincent MEMBRÉ almost 5 years ago

  • Status changed from Pending release to Released
  • Priority changed from 103 to 102

This bug has been fixed in Rudder 5.0.16 which was released today.

Actions

Also available in: Atom PDF