Bug #8085
closed
web interface login: able to log in with valid ldap account but no matching rudder-users.xml entry
Added by Florian Heigl over 8 years ago.
Updated over 8 years ago.
Category:
Web - Maintenance
Description
Hi,
as seen in topic:
A user that has no explicit entry in the users list in the xml file.
They'll be able to pass the web authentication and log in to a rudder session.
In 2.x you'd only see a link to the rudder docs and a "welcome" message
in 3.x+ you see the global compliance.
After discussion with Benoit this is actually to be considered a bug and not a feature.
You should not get in or at least get kicked out if you don't have actual permissions on the web interface.
- Found in version(s) old 2.11.19 added
That seems right. The cause is that we had a "anonymous" profile, but it makes little sense to FORCE to have it. So we should just either remove it completly, or make configurable the fact that user that are not in the authz file are getting anonymous rights or nothing at all.
- Target version set to 2.11.20
Targetting 2.11 to have a consistent behaviour accross all Rudder versions, even if it wasn't a problem back then.
- Status changed from New to In progress
- Assignee changed from Benoît PECCATTE to François ARMAND
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Nicolas CHARLES
- Pull Request set to https://github.com/Normation/rudder/pull/1069
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
- Assignee changed from Nicolas CHARLES to François ARMAND
- % Done changed from 100 to 0
The final solution is to let the user access Rudder but don't let see anything if no authorization are defined at all (and so, if it was not in the file). Other solution would have had a much bigger impact, and so were more risky.
- Status changed from Pending release to Released
This bug has been fixed in Rudder 2.11.20, 3.0.15, 3.1.9 and 3.2.2 which were released today.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by