Project

General

Profile

Actions

Bug #8085

closed

web interface login: able to log in with valid ldap account but no matching rudder-users.xml entry

Added by Florian Heigl about 5 years ago. Updated about 5 years ago.

Status:
Released
Priority:
1
Category:
Web - Maintenance
Target version:
Severity:
User visibility:
Effort required:
Priority:

Description

Hi,

as seen in topic:
A user that has no explicit entry in the users list in the xml file.

They'll be able to pass the web authentication and log in to a rudder session.

In 2.x you'd only see a link to the rudder docs and a "welcome" message
in 3.x+ you see the global compliance.

After discussion with Benoit this is actually to be considered a bug and not a feature.
You should not get in or at least get kicked out if you don't have actual permissions on the web interface.


Subtasks 1 (0 open1 closed)

Bug #8122: Merging #8085 from 2.11 broke branch 3.0ReleasedNicolas CHARLES2016-03-30Actions
Actions #1

Updated by Janos Mattyasovszky about 5 years ago

  • Found in version(s) old 2.11.19 added
Actions #2

Updated by François ARMAND about 5 years ago

That seems right. The cause is that we had a "anonymous" profile, but it makes little sense to FORCE to have it. So we should just either remove it completly, or make configurable the fact that user that are not in the authz file are getting anonymous rights or nothing at all.

Actions #3

Updated by François ARMAND about 5 years ago

  • Target version set to 2.11.20

Targetting 2.11 to have a consistent behaviour accross all Rudder versions, even if it wasn't a problem back then.

Actions #4

Updated by François ARMAND about 5 years ago

  • Status changed from New to In progress
  • Assignee changed from Benoît PECCATTE to François ARMAND
Actions #5

Updated by François ARMAND about 5 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Nicolas CHARLES
  • Pull Request set to https://github.com/Normation/rudder/pull/1069
Actions #6

Updated by François ARMAND about 5 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100
Actions #7

Updated by François ARMAND about 5 years ago

  • Assignee changed from Nicolas CHARLES to François ARMAND
  • % Done changed from 100 to 0

The final solution is to let the user access Rudder but don't let see anything if no authorization are defined at all (and so, if it was not in the file). Other solution would have had a much bigger impact, and so were more risky.

Actions #8

Updated by Vincent MEMBRÉ about 5 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.11.20, 3.0.15, 3.1.9 and 3.2.2 which were released today.

Actions

Also available in: Atom PDF