Actions
Architecture #24189
closed
Rudder - Architecture #24183: Add an Alias type of Role to track role mapping and IdP logout
No API right with aliased roles
Fix check:
To do
Regression:
No
Description
It seems that an aliased role permission is not correctly carried to API endpoints.
When log with an aliased administrator, trying to go to user management plugin, I get:
[2024-02-14 10:58:59+0100] DEBUG auth-backends - Identifying OIDC user info with sub: '00u3smso2m5zF2jom5d7' on rudder user base using login: 'francois@rudder.io' [2024-02-14 10:58:59+0100] TRACE auth-backends - IdP configuration has registered role mapping: [(rudder_admin,administrator); (rudder_readonly,readonly)] [2024-02-14 10:58:59+0100] DEBUG auth-backends - Role 'role-oidc-a' does not match any Rudder role, ignoring it for user francois@rudder.io [2024-02-14 10:58:59+0100] DEBUG auth-backends - Role 'role-oidc-b' does not match any Rudder role, ignoring it for user francois@rudder.io [2024-02-14 10:58:59+0100] DEBUG auth-backends - Principal 'francois@rudder.io': mapping IdP provided role 'rudder_admin' to Rudder role 'administrator' [2024-02-14 10:58:59+0100] INFO application.authorization - Principal 'francois@rudder.io' role list extended with OIDC provided roles: [rudder_admin(administrator)] (override: true) [2024-02-14 10:58:59+0100] DEBUG auth-backends - Principal 'francois@rudder.io' final list of roles: [administrator] [2024-02-14 10:58:59+0100] INFO application - Rudder authentication attempt for principal 'francois@rudder.io' with backend 'oidc': success [2024-02-14 10:58:59+0100] INFO compliance - [metrics] global compliance (number of components): 6388 [p:6196 s:0 r:0 e:0 u:0 m:0 nr:192 na:0 rd:0 c:0 ana:0 nc:0 ae:0 bpm:0] [2024-02-14 10:59:04+0100] ERROR api-processing - Authorization error for 'GET secure/api/usermanagement/users': User 'francois@rudder.io' is not allowed to access GET secure/api/usermanagement/users [2024-02-14 10:59:04+0100] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'francois@rudder.io' is not allowed to access GET secure/api/usermanagement/users"
But perhaps it's just an instance of: https://issues.rudder.io/issues/23254
Updated by Clark ANDRIANASOLO 2 months ago
- Project changed from Rudder to Authentication backends
- Category deleted (
Security) - Target version set to 1020
Updated by Clark ANDRIANASOLO 2 months ago
- Status changed from New to In progress
Updated by Clark ANDRIANASOLO 2 months ago
- Status changed from In progress to Pending technical review
- Assignee changed from Clark ANDRIANASOLO to François ARMAND
- Pull Request set to https://github.com/Normation/rudder-plugins/pull/655
Updated by Clark ANDRIANASOLO 2 months ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder:rudder-plugins|e79f953a446efb0cafd1acd40aec97af470b890b.
Updated by François ARMAND 2 months ago
Applied in changeset rudder:rudder-plugins|b0ac9992f4376b1056a34c12e5f923479939a93f.
Updated by Clark ANDRIANASOLO 2 months ago
- Related to Bug #24132: Display a custom, no rights dashboard when a user hasn't any rights added
Updated by Clark ANDRIANASOLO 2 months ago
- Related to Bug #24202: No API right with OIDC provided roles added
Updated by François ARMAND 2 months ago
- Target version changed from 1020 to 7.3.12-backport-24146
Updated by Clark ANDRIANASOLO about 2 months ago
- Related to Bug #24284: Log on user api authorizations should be more concise added
Updated by Vincent MEMBRÉ 24 days ago
- Target version changed from 7.3.12-backport-24146 to 7.3
Updated by Vincent MEMBRÉ 24 days ago
- Status changed from Pending release to Released
Actions