Bug #8085
closedweb interface login: able to log in with valid ldap account but no matching rudder-users.xml entry
Description
Hi,
as seen in topic:
A user that has no explicit entry in the users list in the xml file.
They'll be able to pass the web authentication and log in to a rudder session.
In 2.x you'd only see a link to the rudder docs and a "welcome" message
in 3.x+ you see the global compliance.
After discussion with Benoit this is actually to be considered a bug and not a feature.
You should not get in or at least get kicked out if you don't have actual permissions on the web interface.
Updated by Janos Mattyasovszky almost 9 years ago
- Found in version(s) old 2.11.19 added
Updated by François ARMAND almost 9 years ago
That seems right. The cause is that we had a "anonymous" profile, but it makes little sense to FORCE to have it. So we should just either remove it completly, or make configurable the fact that user that are not in the authz file are getting anonymous rights or nothing at all.
Updated by François ARMAND over 8 years ago
- Target version set to 2.11.20
Targetting 2.11 to have a consistent behaviour accross all Rudder versions, even if it wasn't a problem back then.
Updated by François ARMAND over 8 years ago
- Status changed from New to In progress
- Assignee changed from Benoît PECCATTE to François ARMAND
Updated by François ARMAND over 8 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Nicolas CHARLES
- Pull Request set to https://github.com/Normation/rudder/pull/1069
Updated by François ARMAND over 8 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset rudder|210f0fa484c107da9b12ee02a100eb0b8030bf93.
Updated by François ARMAND over 8 years ago
- Assignee changed from Nicolas CHARLES to François ARMAND
- % Done changed from 100 to 0
The final solution is to let the user access Rudder but don't let see anything if no authorization are defined at all (and so, if it was not in the file). Other solution would have had a much bigger impact, and so were more risky.
Updated by Vincent MEMBRÉ over 8 years ago
- Status changed from Pending release to Released