Project

General

Profile

Actions

Bug #21638

open

The rules page does not work with a "configuration role"

Added by Alexis Mousset over 2 years ago. Updated 6 months ago.

Status:
New
Priority:
N/A
Category:
Web - Config management
Target version:
Severity:
Major - prevents use of part of Rudder | no simple workaround
UX impact:
I hate Rudder for that
User visibility:
First impressions of Rudder
Effort required:
Medium
Priority:
109
Name check:
To do
Fix check:
To do
Regression:
No

Description

Missing permissions in logs:

[2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/compliance/rules': User 'configurator' is not allowed to access GET secure/api/compliance/rules
[2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/compliance/rules" 
[2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/groups/tree': User 'configurator' is not allowed to access GET secure/api/groups/tree
[2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/groups/tree" 
[2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/nodes': User 'configurator' is not allowed to access GET secure/api/nodes
[2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/nodes" 
[2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/changes': User 'configurator' is not allowed to access GET secure/api/changes
[2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/changes" 
[2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/settings/global_policy_mode': User 'configurator' is not allowed to access GET secure/api/settings/{key}
[2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/settings/{key}" 


Files

clipboard-202208251316-ngnbs.png (70.7 KB) clipboard-202208251316-ngnbs.png Alexis Mousset, 2022-08-25 13:16
Actions #1

Updated by Alexis Mousset over 2 years ago

  • Regression changed from Yes to No
Actions #2

Updated by François ARMAND over 1 year ago

  • Description updated (diff)
  • Target version set to 7.2.6
  • Severity set to Major - prevents use of part of Rudder | no simple workaround
  • UX impact set to I hate Rudder for that
  • User visibility set to First impressions of Rudder
  • Effort required set to Medium
  • Priority changed from 0 to 118

The problem is that the configuration role should actually not be allowed to these API since it is intended to only access and act on "configuration" section, ie nothing node related. In previous times, it didn't happen because authorization check were done in liftweb.

The solution would be to create dedicated internal API that merge in the backend all call into one and have the correct permissions for that role.

More precisely:

- GET secure/api/compliance/rules: (access to compliance by rule) perhaps this one should be allowed for configuration
- GET secure/api/groups/tree: (info on groups, group prop, nodes on groups, etc) this one is clearly not in the current definition of the role
- GET secure/api/nodes: (info on nodes, node inventory, inventory, etc): should remain forbidden
- GET secure/api/changes: (info on rule changes): this one should be authorized
- GET secure/api/settings/{key}: access on config value: should remain forbidden

Actions #3

Updated by François ARMAND over 1 year ago

  • Assignee set to Vincent MEMBRÉ
  • Priority changed from 118 to 117
Actions #4

Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 7.2.6 to 7.2.7
  • Priority changed from 117 to 116
Actions #5

Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 7.2.7 to 7.2.8
  • Priority changed from 116 to 115
Actions #6

Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 7.2.8 to 7.2.9
  • Priority changed from 115 to 112
Actions #7

Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 7.2.9 to 7.2.10
  • Priority changed from 112 to 111
Actions #8

Updated by Alexis Mousset over 1 year ago

  • Target version changed from 7.2.10 to 7.2.11
  • Priority changed from 111 to 110
Actions #9

Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 7.2.11 to 1046
  • Priority changed from 110 to 109
Actions #10

Updated by Alexis Mousset about 1 year ago

  • Target version changed from 1046 to 7.3.8
Actions #11

Updated by Vincent MEMBRÉ about 1 year ago

  • Target version changed from 7.3.8 to 7.3.9
Actions #12

Updated by Vincent MEMBRÉ about 1 year ago

  • Target version changed from 7.3.9 to 7.3.10
Actions #13

Updated by Vincent MEMBRÉ about 1 year ago

  • Target version changed from 7.3.10 to 7.3.11
Actions #14

Updated by Vincent MEMBRÉ 11 months ago

  • Target version changed from 7.3.11 to 7.3.12
Actions #15

Updated by Vincent MEMBRÉ 10 months ago

  • Target version changed from 7.3.12 to 7.3.13
Actions #16

Updated by Vincent MEMBRÉ 10 months ago

  • Target version changed from 7.3.13 to 7.3.14
Actions #17

Updated by Vincent MEMBRÉ 8 months ago

  • Target version changed from 7.3.14 to 7.3.15
Actions #18

Updated by Vincent MEMBRÉ 7 months ago

  • Target version changed from 7.3.15 to 7.3.16
Actions #19

Updated by Vincent MEMBRÉ 6 months ago

  • Target version changed from 7.3.16 to 7.3.17
Actions

Also available in: Atom PDF