Actions
Bug #16386
closed
Technique edit authorizations don't allow technique editor use
Status:
Released
Priority:
N/A
Assignee:
Category:
Web - Technique editor
Target version:
Pull Request:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Very Small
Priority:
102
Name check:
To do
Fix check:
Checked
Regression:
Description
When the have the user authorization plugin, admin can access the technique editor, but not an user with rights:
<user name="alice" password="xxx" role="user,deployment_read,deployment_write,directive_read,directive_edit,directive_write,technique_read,technique_edit,technique_write,configuration_read" />
Then, in the Menu the "Utilities" points to hostname/rudder/secure/utilities/techniqueEditor and I'm getting error 404.
If I go directly to /rudder/secure/configurationManager/techniqueEditor, it does work.
Moreover, with the less authorized user, creating a technique leads to error:
I have a dead link if I'm logging in with "normal-user" in the Menu the "Utilities" points to hostname/rudder/secure/utilities/techniqueEditor and I'm getting error 404 the /rudder/secure/configurationManager/techniqueEditor does work.
But the technique is actually created or updated!
Updated by François ARMAND almost 5 years ago
Webapp logs:
[2019-12-10 14:47:06] ERROR api-processing - Authorization error for 'POST secure/api/ncf': User 'alice' is not allowed to access POST secure/api/ncf [2019-12-10 14:47:06] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'alice' is not allowed to access POST secure/api/ncf" [2019-12-10 14:47:07] INFO com.normation.cfclerk.services.impl.TechniqueRepositoryImpl - Reloading technique library, found modified technique(s): ['test': updated (1.0: VersionUpdated)] [2019-12-10 14:47:08] INFO com.normation.rudder.services.policies.DeployOnTechniqueCallback - Automatic batch update at 2019-12-10T14:47:05.603+01:00
Updated by Vincent MEMBRÉ almost 5 years ago
- Status changed from New to In progress
Updated by Vincent MEMBRÉ almost 5 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Vincent MEMBRÉ to François ARMAND
- Pull Request set to https://github.com/Normation/rudder/pull/2671
Updated by Vincent MEMBRÉ almost 5 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|7f98fc6504d2c72be329b142b5342e158f700134.
Updated by François ARMAND almost 5 years ago
- Priority changed from 104 to 103
There is still a wrong redirection from utilities to techniqueEditor, but no more message. I'm opening an other ticket for the redirection.
Updated by François ARMAND almost 5 years ago
- Fix check changed from To do to Checked
Updated by François ARMAND almost 5 years ago
- Subject changed from Technique editor access authorization seems incorect to Technique edit authorizations don't allow technique editor use
Updated by Vincent MEMBRÉ almost 5 years ago
- Status changed from Pending release to Released
- Priority changed from 103 to 102
This bug has been fixed in Rudder 5.0.16 which was released today.
Actions