Bug #21638
openThe rules page does not work with a "configuration role"
Description
Missing permissions in logs:
[2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/compliance/rules': User 'configurator' is not allowed to access GET secure/api/compliance/rules [2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/compliance/rules" [2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/groups/tree': User 'configurator' is not allowed to access GET secure/api/groups/tree [2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/groups/tree" [2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/nodes': User 'configurator' is not allowed to access GET secure/api/nodes [2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/nodes" [2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/changes': User 'configurator' is not allowed to access GET secure/api/changes [2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/changes" [2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/settings/global_policy_mode': User 'configurator' is not allowed to access GET secure/api/settings/{key} [2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/settings/{key}"
Files
Updated by François ARMAND over 1 year ago
- Description updated (diff)
- Target version set to 7.2.6
- Severity set to Major - prevents use of part of Rudder | no simple workaround
- UX impact set to I hate Rudder for that
- User visibility set to First impressions of Rudder
- Effort required set to Medium
- Priority changed from 0 to 118
The problem is that the configuration role should actually not be allowed to these API since it is intended to only access and act on "configuration" section, ie nothing node related. In previous times, it didn't happen because authorization check were done in liftweb.
The solution would be to create dedicated internal API that merge in the backend all call into one and have the correct permissions for that role.
More precisely:
- GET secure/api/compliance/rules
: (access to compliance by rule) perhaps this one should be allowed for configuration
- GET secure/api/groups/tree
: (info on groups, group prop, nodes on groups, etc) this one is clearly not in the current definition of the role
- GET secure/api/nodes
: (info on nodes, node inventory, inventory, etc): should remain forbidden
- GET secure/api/changes
: (info on rule changes): this one should be authorized
- GET secure/api/settings/{key}
: access on config value: should remain forbidden
Updated by François ARMAND over 1 year ago
- Assignee set to Vincent MEMBRÉ
- Priority changed from 118 to 117
Updated by Vincent MEMBRÉ over 1 year ago
- Target version changed from 7.2.6 to 7.2.7
- Priority changed from 117 to 116
Updated by Vincent MEMBRÉ over 1 year ago
- Target version changed from 7.2.7 to 7.2.8
- Priority changed from 116 to 115
Updated by Vincent MEMBRÉ over 1 year ago
- Target version changed from 7.2.8 to 7.2.9
- Priority changed from 115 to 112
Updated by Vincent MEMBRÉ over 1 year ago
- Target version changed from 7.2.9 to 7.2.10
- Priority changed from 112 to 111
Updated by Alexis Mousset over 1 year ago
- Target version changed from 7.2.10 to 7.2.11
- Priority changed from 111 to 110
Updated by Vincent MEMBRÉ over 1 year ago
- Target version changed from 7.2.11 to 1046
- Priority changed from 110 to 109
Updated by Alexis Mousset about 1 year ago
- Target version changed from 1046 to 7.3.8
Updated by Vincent MEMBRÉ about 1 year ago
- Target version changed from 7.3.8 to 7.3.9
Updated by Vincent MEMBRÉ about 1 year ago
- Target version changed from 7.3.9 to 7.3.10
Updated by Vincent MEMBRÉ about 1 year ago
- Target version changed from 7.3.10 to 7.3.11
Updated by Vincent MEMBRÉ 11 months ago
- Target version changed from 7.3.11 to 7.3.12
Updated by Vincent MEMBRÉ 10 months ago
- Target version changed from 7.3.12 to 7.3.13
Updated by Vincent MEMBRÉ 10 months ago
- Target version changed from 7.3.13 to 7.3.14
Updated by Vincent MEMBRÉ 8 months ago
- Target version changed from 7.3.14 to 7.3.15
Updated by Vincent MEMBRÉ 7 months ago
- Target version changed from 7.3.15 to 7.3.16
Updated by Vincent MEMBRÉ 6 months ago
- Target version changed from 7.3.16 to 7.3.17