Project

General

Profile

Actions

Bug #23098

closed

Plugin cannot add custom roles or it will be overwritten by boot custom roles

Added by Vincent MEMBRÉ over 1 year ago. Updated about 1 year ago.

Status:
Released
Priority:
N/A
Category:
Web - Maintenance
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

With #23097, we added a role for system-update plugin, but the role is removed by rudder init that wipes the whole content of custom roles


Related issues 3 (0 open3 closed)

Related to Rudder - Bug #22357: Reloading user must discared previously registered custom-rolesReleasedVincent MEMBRÉActions
Related to Authentication backends - Bug #23254: User management plugin incorrectly understands OIDC rolesReleasedVincent MEMBRÉActions
Related to Rudder plugins - Bug #23348: not allowed to access errors because rudder plugins are missing AuthorizationApiMapping ReleasedVincent MEMBRÉActions
Actions #1

Updated by Vincent MEMBRÉ over 1 year ago

  • Status changed from New to In progress
  • Assignee set to Vincent MEMBRÉ
Actions #2

Updated by Vincent MEMBRÉ over 1 year ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Vincent MEMBRÉ to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/4903
Actions #3

Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 7.3.4 to 7.3.5
Actions #4

Updated by François ARMAND over 1 year ago

  • Related to Bug #22357: Reloading user must discared previously registered custom-roles added
Actions #5

Updated by François ARMAND over 1 year ago

We need to check what we want to do with that, because that PR undo what was done in https://issues.rudder.io/issues/22357.

The problems are:
- if there is less custom-roles after a user update (for ex through user-managmeent plugin), then they must be discarded
- we need to correctly have plugin-provided custom-roles registered and kept on reload

But we must even tacke a bigger problem: what we do with plugin-provided authorizations for base role that "should" get them, like user and read_only regarding for ex system_update:read.

Option are:
- extends them with plugin provided permissions,
- force user to specify new permission, perhaps aggregated in new custom-role, and use these role in place of the rudder base ones
- perhaps have a different role for the expandable one and the non expandable one ?

The last option is complicated and we're not sure of the provided value, the second one is cumbersome and not what is expected, and the first seems to be what people expect, what we used to do in rudder, and it doesn't forbid anything: someone is still able to define a strict custom role from the exact list of permission he wants to give.

So we need to rethink that PR, and likely implement #1 in place of what was done here.

Actions #6

Updated by Alexis Mousset over 1 year ago

  • Target version changed from 7.3.5 to 7.3.6
Actions #7

Updated by François ARMAND about 1 year ago

  • Related to Bug #23254: User management plugin incorrectly understands OIDC roles added
Actions #8

Updated by François ARMAND about 1 year ago

  • Status changed from Pending technical review to In progress
Actions #9

Updated by François ARMAND about 1 year ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Vincent MEMBRÉ
  • Pull Request changed from https://github.com/Normation/rudder/pull/4903 to https://github.com/Normation/rudder/pull/5004
Actions #11

Updated by François ARMAND about 1 year ago

  • Related to Bug #23348: not allowed to access errors because rudder plugins are missing AuthorizationApiMapping added
Actions #12

Updated by Anonymous about 1 year ago

  • Status changed from Pending technical review to Pending release
Actions #14

Updated by François ARMAND about 1 year ago

  • Fix check changed from To do to Checked

This is now working for example in system-update plugin 7.3.6-1.12-nightly:

[2023-09-14 15:31:05+0000] INFO  application - Extending built-in role 'user' with permissions: system_update_campaign_edit, system_update_write, system_update_campaign_read, system_update_read, system_update_edit, system_update_campaign_write
[2023-09-14 15:31:05+0000] INFO  application - Extending built-in role 'read_only' with permissions: system_update_read, system_update_campaign_read
[2023-09-14 15:31:05+0000] INFO  application - Extending built-in role 'inventory' with permissions: system_update_read, system_update_campaign_read
[2023-09-14 15:31:05+0000] INFO  application - Extending built-in role 'system_update' with permissions: group_read, system_update_campaign_edit, system_update_write, system_update_campaign_read, node_read, system_update_read, system_update_edit, system_update_campaign_write
Actions #15

Updated by Vincent MEMBRÉ about 1 year ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 7.3.6 and 8.0.0~beta2 which were released today.

Actions

Also available in: Atom PDF