Bug #23098
closedPlugin cannot add custom roles or it will be overwritten by boot custom roles
Description
With #23097, we added a role for system-update plugin, but the role is removed by rudder init that wipes the whole content of custom roles
Updated by Vincent MEMBRÉ over 1 year ago
- Status changed from New to In progress
- Assignee set to Vincent MEMBRÉ
Updated by Vincent MEMBRÉ over 1 year ago
- Status changed from In progress to Pending technical review
- Assignee changed from Vincent MEMBRÉ to François ARMAND
- Pull Request set to https://github.com/Normation/rudder/pull/4903
Updated by Vincent MEMBRÉ over 1 year ago
- Target version changed from 7.3.4 to 7.3.5
Updated by François ARMAND over 1 year ago
- Related to Bug #22357: Reloading user must discared previously registered custom-roles added
Updated by François ARMAND over 1 year ago
We need to check what we want to do with that, because that PR undo what was done in https://issues.rudder.io/issues/22357.
The problems are:
- if there is less custom-roles after a user update (for ex through user-managmeent plugin), then they must be discarded
- we need to correctly have plugin-provided custom-roles registered and kept on reload
But we must even tacke a bigger problem: what we do with plugin-provided authorizations for base role that "should" get them, like user
and read_only
regarding for ex system_update:read
.
Option are:
- extends them with plugin provided permissions,
- force user to specify new permission, perhaps aggregated in new custom-role, and use these role in place of the rudder base ones
- perhaps have a different role for the expandable one and the non expandable one ?
The last option is complicated and we're not sure of the provided value, the second one is cumbersome and not what is expected, and the first seems to be what people expect, what we used to do in rudder, and it doesn't forbid anything: someone is still able to define a strict custom role from the exact list of permission he wants to give.
So we need to rethink that PR, and likely implement #1 in place of what was done here.
Updated by Alexis Mousset over 1 year ago
- Target version changed from 7.3.5 to 7.3.6
Updated by François ARMAND over 1 year ago
- Related to Bug #23254: User management plugin incorrectly understands OIDC roles added
Updated by François ARMAND about 1 year ago
- Status changed from Pending technical review to In progress
Updated by François ARMAND about 1 year ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Vincent MEMBRÉ
- Pull Request changed from https://github.com/Normation/rudder/pull/4903 to https://github.com/Normation/rudder/pull/5004
Updated by François ARMAND about 1 year ago
- Related to Bug #23348: not allowed to access errors because rudder plugins are missing AuthorizationApiMapping added
Updated by Anonymous about 1 year ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|33a9b414ab02e595dff815b112a8b2a1ffe95817.
Updated by François ARMAND about 1 year ago
- Fix check changed from To do to Checked
This is now working for example in system-update plugin 7.3.6-1.12-nightly
:
[2023-09-14 15:31:05+0000] INFO application - Extending built-in role 'user' with permissions: system_update_campaign_edit, system_update_write, system_update_campaign_read, system_update_read, system_update_edit, system_update_campaign_write [2023-09-14 15:31:05+0000] INFO application - Extending built-in role 'read_only' with permissions: system_update_read, system_update_campaign_read [2023-09-14 15:31:05+0000] INFO application - Extending built-in role 'inventory' with permissions: system_update_read, system_update_campaign_read [2023-09-14 15:31:05+0000] INFO application - Extending built-in role 'system_update' with permissions: group_read, system_update_campaign_edit, system_update_write, system_update_campaign_read, node_read, system_update_read, system_update_edit, system_update_campaign_write
Updated by Vincent MEMBRÉ about 1 year ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 7.3.6 and 8.0.0~beta2 which were released today.