Issue #1360
closed
Permissions retrieval from API doesn't work as expected
Description
tldr; Permissions API only returns resources that are explicitly granted, leaving out resources that are implicitly granted.
A user is authorized to use a resource if they have been explicitly granted access to that resource or if the user has been granted access to a base of the given resource.
So if the user "admin" has been given access to `/`, they will implicitly have permission to access `/repositories/`.
As an example, if we query the API to see what users have permission to use the resource `/`, since admin was explicitly granted permission to this url, we can see that admin has permission here.
(pulp)[vagrant@dev pulp]$ http --json -a admin:admin --verify=no GET 'https://localhost/pulp/api/v2/permissions/?resource=/'
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 191
Content-Type: application/json; charset=utf-8
Date: Thu, 05 Nov 2015 20:51:44 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.16 (Fedora) OpenSSL/1.0.1k-fips mod_wsgi/4.4.8 Python/2.7.10
[
{
"_id": {
"$oid": "563a54c6e779892dc40d2a9b"
},
"_ns": "permissions",
"id": "563a54c6e779892dc40d2a9b",
"resource": "/",
"users": {
"admin": [
"CREATE",
"READ",
"UPDATE",
"DELETE",
"EXECUTE"
]
}
}
]
However,despite the fact that the admin user has access to `/repositories/` it has been granted access to `/`, access is not shown by the API.
(pulp)[vagrant@dev pulp]$ http --json -a admin:admin --verify=no GET 'https://localhost/pulp/api/v2/permissions/?resource=/repositories/'
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 2
Content-Type: application/json; charset=utf-8
Date: Thu, 05 Nov 2015 20:52:05 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.16 (Fedora) OpenSSL/1.0.1k-fips mod_wsgi/4.4.8 Python/2.7.10
[]
Updated by ipanova@redhat.com over 7 years ago
If permissions were granted to "/" i don't think it will be good to display all resources as they are too many:
grep "url(r'^v2" server/pulp/server/webservices/urls.py|wc -l
99
I think we have here other issue, imagine the situation were you grant permissions for a user on '/' but you don't want that he would have access to( for example) /v2/repositories/. so you revoke permissions explicitly on this resource but the user will still be able to access that.
So probably we could disable the possibility to give permission on '/' for users other than super-users. This will require people to explicitly give permissions for every resource, so permission retrieval from API will work as expected. But if there will be too many to grant , this will complicate someone's life :)
Updated by bmbouter almost 4 years ago
- Status changed from NEW to CLOSED - WONTFIX
Updated by bmbouter almost 4 years ago
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.
.