Project

General

Profile

Actions

Architecture #24189

closed

Rudder - Architecture #24183: Add an Alias type of Role to track role mapping and IdP logout

No API right with aliased roles

Added by François ARMAND 12 months ago. Updated 10 months ago.

Status:
Released
Priority:
N/A
Target version:
Effort required:
Name check:
To do
Fix check:
To do
Regression:
No

Description

It seems that an aliased role permission is not correctly carried to API endpoints.

When log with an aliased administrator, trying to go to user management plugin, I get:

[2024-02-14 10:58:59+0100] DEBUG auth-backends - Identifying OIDC user info with sub: '00u3smso2m5zF2jom5d7' on rudder user base using login: 'francois@rudder.io'
[2024-02-14 10:58:59+0100] TRACE auth-backends - IdP configuration has registered role mapping: [(rudder_admin,administrator); (rudder_readonly,readonly)]
[2024-02-14 10:58:59+0100] DEBUG auth-backends - Role 'role-oidc-a' does not match any Rudder role, ignoring it for user francois@rudder.io
[2024-02-14 10:58:59+0100] DEBUG auth-backends - Role 'role-oidc-b' does not match any Rudder role, ignoring it for user francois@rudder.io
[2024-02-14 10:58:59+0100] DEBUG auth-backends - Principal 'francois@rudder.io': mapping IdP provided role 'rudder_admin' to Rudder role 'administrator' 
[2024-02-14 10:58:59+0100] INFO  application.authorization - Principal 'francois@rudder.io' role list extended with OIDC provided roles: [rudder_admin(administrator)] (override: true)
[2024-02-14 10:58:59+0100] DEBUG auth-backends - Principal 'francois@rudder.io' final list of roles: [administrator]
[2024-02-14 10:58:59+0100] INFO  application - Rudder authentication attempt for principal 'francois@rudder.io' with backend 'oidc': success
[2024-02-14 10:58:59+0100] INFO  compliance - [metrics] global compliance (number of components): 6388 [p:6196 s:0 r:0 e:0 u:0 m:0 nr:192 na:0 rd:0 c:0 ana:0 nc:0 ae:0 bpm:0]
[2024-02-14 10:59:04+0100] ERROR api-processing - Authorization error for 'GET secure/api/usermanagement/users': User 'francois@rudder.io' is not allowed to access GET secure/api/usermanagement/users
[2024-02-14 10:59:04+0100] ERROR com.normation.rudder.rest.RestUtils - "Authorization error: User 'francois@rudder.io' is not allowed to access GET secure/api/usermanagement/users" 

But perhaps it's just an instance of: https://issues.rudder.io/issues/23254


Related issues 3 (0 open3 closed)

Related to Rudder - Bug #24132: Display a custom, no rights dashboard when a user hasn't any rightsRejectedClark ANDRIANASOLOActions
Related to Authentication backends - Bug #24202: No API right with OIDC provided rolesReleasedVincent MEMBRÉActions
Related to Rudder - Bug #24284: Log on user api authorizations should be more conciseReleasedFrançois ARMANDActions
Actions

Also available in: Atom PDF