Bug #21638: The rules page does not work with a "configuration role" - Rudder - Issue Tracker

Actions

Copy link

Bug #21638

open

The rules page does not work with a "configuration role"

Added by Alexis Mousset about 2 years ago. Updated 5 months ago.

Status:

New

Priority:

N/A

Assignee:

Vincent MEMBRÉ

Category:

Web - Config management

Target version:

7.3.17

Pull Request:

Severity:

Major - prevents use of part of Rudder | no simple workaround

UX impact:

I hate Rudder for that

User visibility:

First impressions of Rudder

Effort required:

Medium

Priority:

109

Name check:

To do

Fix check:

To do

Regression:

Description

Missing permissions in logs:

[2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/compliance/rules': User 'configurator' is not allowed to access GET secure/api/compliance/rules
[2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/compliance/rules" 
[2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/groups/tree': User 'configurator' is not allowed to access GET secure/api/groups/tree
[2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/groups/tree" 
[2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/nodes': User 'configurator' is not allowed to access GET secure/api/nodes
[2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/nodes" 
[2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/changes': User 'configurator' is not allowed to access GET secure/api/changes
[2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/changes" 
[2023-04-06 14:57:47+0200] ERROR api - Authorization error for 'GET secure/api/settings/global_policy_mode': User 'configurator' is not allowed to access GET secure/api/settings/{key}
[2023-04-06 14:57:47+0200] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'configurator' is not allowed to access GET secure/api/settings/{key}"

Files

clipboard-202208251316-ngnbs.png (70.7 KB) clipboard-202208251316-ngnbs.png

Alexis Mousset, 2022-08-25 13:16

Actions

Copy link

Updated by Alexis Mousset about 2 years ago

Regression changed from Yes to No

Actions

Copy link

Updated by François ARMAND over 1 year ago

Description updated (diff)
Target version set to 7.2.6
Severity set to Major - prevents use of part of Rudder | no simple workaround
UX impact set to I hate Rudder for that
User visibility set to First impressions of Rudder
Effort required set to Medium
Priority changed from 0 to 118

The problem is that the configuration role should actually not be allowed to these API since it is intended to only access and act on "configuration" section, ie nothing node related. In previous times, it didn't happen because authorization check were done in liftweb.

The solution would be to create dedicated internal API that merge in the backend all call into one and have the correct permissions for that role.

More precisely:

- GET secure/api/compliance/rules: (access to compliance by rule) perhaps this one should be allowed for configuration
- GET secure/api/groups/tree: (info on groups, group prop, nodes on groups, etc) this one is clearly not in the current definition of the role
- GET secure/api/nodes: (info on nodes, node inventory, inventory, etc): should remain forbidden
- GET secure/api/changes: (info on rule changes): this one should be authorized
- GET secure/api/settings/{key}: access on config value: should remain forbidden