Actions
Bug #24708
closed
Groups node ids list in API is still exhaustive even with restricted tenant access
Pull Request:
Severity:
Trivial - no functional impact | cosmetic
UX impact:
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Small
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No
Description
When :
- I log in as a user in a tenant which has access to a single node
root, and I generate an API token - OR I use an API account token with the same tenant access
, I can still find all node ids of any group in the groups details endpoint /api/groups/{groupId}/ :
{
"action": "groupDetails",
"result": "success",
"data": {
"groups": [
{
...,
"nodeIds": [
"0e7eedc8-d6af-4d68-a7f8-eec615a4bc1a",
"root"
]
}
]
}
}
Especially when I query the group all-nodes-with-cfengine-agent, I can know all node ids in Rudder even outside of my tenant. But I don't have access to node details in /api/nodes/{nodeId}, nor to those nodes in the groups page.
This groups API endpoint should not leak node ids : the list of nodes ids should be filtered to include only the ones in the tenants.
Updated by Clark ANDRIANASOLO 7 months ago
- Status changed from New to In progress
- Assignee set to Clark ANDRIANASOLO
Updated by Clark ANDRIANASOLO 7 months ago
- Status changed from In progress to Pending technical review
- Assignee changed from Clark ANDRIANASOLO to François ARMAND
- Pull Request set to https://github.com/Normation/rudder/pull/5608
Updated by Clark ANDRIANASOLO 7 months ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|7da1f6324a09617bc780e675e1fa464b2ae9d03a.
Updated by
Updated by Clark ANDRIANASOLO 7 months ago
- Related to Bug #24787: Some group endpoints list node ids outside of restricted tenant access added
Updated by Vincent MEMBRÉ 7 months ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 8.1.1 which was released today.
Actions