Project

Profile

Help

Issue #1360

closed

Permissions retrieval from API doesn't work as expected

Added by amacdona@redhat.com over 8 years ago. Updated almost 5 years ago.

Status:
CLOSED - WONTFIX
Priority:
Low
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

http://pulp.readthedocs.org/en/latest/dev-guide/integration/rest-api/permission/retrieval.html#retrieve-permissions-for-particular-resource

tldr; Permissions API only returns resources that are explicitly granted, leaving out resources that are implicitly granted.

A user is authorized to use a resource if they have been explicitly granted access to that resource or if the user has been granted access to a base of the given resource.

So if the user "admin" has been given access to `/`, they will implicitly have permission to access `/repositories/`.

As an example, if we query the API to see what users have permission to use the resource `/`, since admin was explicitly granted permission to this url, we can see that admin has permission here.

(pulp)[vagrant@dev pulp]$ http --json -a admin:admin --verify=no GET 'https://localhost/pulp/api/v2/permissions/?resource=/'
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 191
Content-Type: application/json; charset=utf-8
Date: Thu, 05 Nov 2015 20:51:44 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.16 (Fedora) OpenSSL/1.0.1k-fips mod_wsgi/4.4.8 Python/2.7.10

[
    {
        "_id": {
            "$oid": "563a54c6e779892dc40d2a9b"
        }, 
        "_ns": "permissions", 
        "id": "563a54c6e779892dc40d2a9b", 
        "resource": "/", 
        "users": {
            "admin": [
                "CREATE", 
                "READ", 
                "UPDATE", 
                "DELETE", 
                "EXECUTE"
            ]
        }
    }
]

However,despite the fact that the admin user has access to `/repositories/` it has been granted access to `/`, access is not shown by the API.

(pulp)[vagrant@dev pulp]$ http --json -a admin:admin --verify=no GET 'https://localhost/pulp/api/v2/permissions/?resource=/repositories/'
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 2
Content-Type: application/json; charset=utf-8
Date: Thu, 05 Nov 2015 20:52:05 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.16 (Fedora) OpenSSL/1.0.1k-fips mod_wsgi/4.4.8 Python/2.7.10

[]
Actions #1

Updated by ipanova@redhat.com over 8 years ago

If permissions were granted to "/" i don't think it will be good to display all resources as they are too many:

grep "url(r'^v2"  server/pulp/server/webservices/urls.py|wc -l
99

I think we have here other issue, imagine the situation were you grant permissions for a user on '/' but you don't want that he would have access to( for example) /v2/repositories/. so you revoke permissions explicitly on this resource but the user will still be able to access that.

So probably we could disable the possibility to give permission on '/' for users other than super-users. This will require people to explicitly give permissions for every resource, so permission retrieval from API will work as expected. But if there will be too many to grant , this will complicate someone's life :)

Actions #2

Updated by mhrivnak over 8 years ago

  • Triaged changed from No to Yes
Actions #3

Updated by bmbouter almost 5 years ago

  • Status changed from NEW to CLOSED - WONTFIX
Actions #4

Updated by bmbouter almost 5 years ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

Actions #5

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF