Project

General

Profile

Bug #8085

web interface login: able to log in with valid ldap account but no matching rudder-users.xml entry

Added by Florian Heigl almost 4 years ago. Updated almost 4 years ago.

Status:
Released
Priority:
1
Category:
Web - Maintenance
Target version:
Severity:
User visibility:
Effort required:
Priority:

Description

Hi,

as seen in topic:
A user that has no explicit entry in the users list in the xml file.

They'll be able to pass the web authentication and log in to a rudder session.

In 2.x you'd only see a link to the rudder docs and a "welcome" message
in 3.x+ you see the global compliance.

After discussion with Benoit this is actually to be considered a bug and not a feature.
You should not get in or at least get kicked out if you don't have actual permissions on the web interface.


Subtasks

Bug #8122: Merging #8085 from 2.11 broke branch 3.0ReleasedNicolas CHARLESActions

Associated revisions

Revision 210f0fa4 (diff)
Added by François ARMAND almost 4 years ago

Fixes #8085: web interface login: able to log in with valid ldap account but no matching rudder-users.xml entry

Revision 2493a75b (diff)
Added by François ARMAND almost 4 years ago

Fixes #8085: web interface login: able to log in with valid ldap account but no matching rudder-users.xml entry

Revision 6f99e120
Added by Nicolas CHARLES almost 4 years ago

Merge pull request #1069 from fanf/bug_8085/web_interface_login_able_to_log_in_with_valid_ldap_account_but_no_matching_rudder_users_xml_entry

Fixes #8085: web interface login: able to log in with valid ldap account but no matching rudder-users.xml entry

Revision c934813b
Added by Nicolas CHARLES almost 4 years ago

Merge pull request #1069 from fanf/bug_8085/web_interface_login_able_to_log_in_with_valid_ldap_account_but_no_matching_rudder_users_xml_entry

Fixes #8085: web interface login: able to log in with valid ldap account but no matching rudder-users.xml entry

History

#1

Updated by Janos Mattyasovszky almost 4 years ago

  • Found in version(s) old 2.11.19 added
#2

Updated by François ARMAND almost 4 years ago

That seems right. The cause is that we had a "anonymous" profile, but it makes little sense to FORCE to have it. So we should just either remove it completly, or make configurable the fact that user that are not in the authz file are getting anonymous rights or nothing at all.

#3

Updated by François ARMAND almost 4 years ago

  • Target version set to 2.11.20

Targetting 2.11 to have a consistent behaviour accross all Rudder versions, even if it wasn't a problem back then.

#4

Updated by François ARMAND almost 4 years ago

  • Status changed from New to In progress
  • Assignee changed from Benoît PECCATTE to François ARMAND
#5

Updated by François ARMAND almost 4 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Nicolas CHARLES
  • Pull Request set to https://github.com/Normation/rudder/pull/1069
#6

Updated by François ARMAND almost 4 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100
#7

Updated by François ARMAND almost 4 years ago

  • Assignee changed from Nicolas CHARLES to François ARMAND
  • % Done changed from 100 to 0

The final solution is to let the user access Rudder but don't let see anything if no authorization are defined at all (and so, if it was not in the file). Other solution would have had a much bigger impact, and so were more risky.

#8

Updated by Vincent MEMBRÉ almost 4 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.11.20, 3.0.15, 3.1.9 and 3.2.2 which were released today.

Also available in: Atom PDF