Project

General

Profile

Actions

Architecture #24189

closed

Rudder - Architecture #24183: Add an Alias type of Role to track role mapping and IdP logout

No API right with aliased roles

Added by François ARMAND 9 months ago. Updated 8 months ago.

Status:
Released
Priority:
N/A
Target version:
Effort required:
Name check:
To do
Fix check:
To do
Regression:
No

Description

It seems that an aliased role permission is not correctly carried to API endpoints.

When log with an aliased administrator, trying to go to user management plugin, I get:

[2024-02-14 10:58:59+0100] DEBUG auth-backends - Identifying OIDC user info with sub: '00u3smso2m5zF2jom5d7' on rudder user base using login: 'francois@rudder.io'
[2024-02-14 10:58:59+0100] TRACE auth-backends - IdP configuration has registered role mapping: [(rudder_admin,administrator); (rudder_readonly,readonly)]
[2024-02-14 10:58:59+0100] DEBUG auth-backends - Role 'role-oidc-a' does not match any Rudder role, ignoring it for user francois@rudder.io
[2024-02-14 10:58:59+0100] DEBUG auth-backends - Role 'role-oidc-b' does not match any Rudder role, ignoring it for user francois@rudder.io
[2024-02-14 10:58:59+0100] DEBUG auth-backends - Principal 'francois@rudder.io': mapping IdP provided role 'rudder_admin' to Rudder role 'administrator' 
[2024-02-14 10:58:59+0100] INFO  application.authorization - Principal 'francois@rudder.io' role list extended with OIDC provided roles: [rudder_admin(administrator)] (override: true)
[2024-02-14 10:58:59+0100] DEBUG auth-backends - Principal 'francois@rudder.io' final list of roles: [administrator]
[2024-02-14 10:58:59+0100] INFO  application - Rudder authentication attempt for principal 'francois@rudder.io' with backend 'oidc': success
[2024-02-14 10:58:59+0100] INFO  compliance - [metrics] global compliance (number of components): 6388 [p:6196 s:0 r:0 e:0 u:0 m:0 nr:192 na:0 rd:0 c:0 ana:0 nc:0 ae:0 bpm:0]
[2024-02-14 10:59:04+0100] ERROR api-processing - Authorization error for 'GET secure/api/usermanagement/users': User 'francois@rudder.io' is not allowed to access GET secure/api/usermanagement/users
[2024-02-14 10:59:04+0100] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'francois@rudder.io' is not allowed to access GET secure/api/usermanagement/users" 

But perhaps it's just an instance of: https://issues.rudder.io/issues/23254


Related issues 3 (0 open3 closed)

Related to Rudder - Bug #24132: Display a custom, no rights dashboard when a user hasn't any rightsRejectedClark ANDRIANASOLOActions
Related to Authentication backends - Bug #24202: No API right with OIDC provided rolesReleasedVincent MEMBRÉActions
Related to Rudder - Bug #24284: Log on user api authorizations should be more conciseReleasedFrançois ARMANDActions
Actions

Also available in: Atom PDF