Bug #39086
closedmgr/dashboard: "readonly user" can't see any pages
0%
Description
When logging in as a user with the "readonly" role, the dashboard hides all pages with the message "Sorry, you are not allowed to see what you were looking for." after a few seconds (the refresh interval?). Also, a toasty error message appears that shown as "403 Forbidden" error (see screenshot attached).
Files
Updated by Ernesto Puerta about 5 years ago
- Category changed from 132 to 145
The 403 is triggered by the /api/prometheus/get_notifications_since endpoint (this can be easily seen in the browser inspector -> network tab). It seems that PROMETHEUS scope has no any READ-only permissions defined. It's an easy fix.
Updated by Ricardo Marques about 5 years ago
Ernesto Puerta wrote:
The 403 is triggered by the
/api/prometheus/get_notifications_sinceendpoint (this can be easily seen in the browser inspector -> network tab). It seems that PROMETHEUS scope has no any READ-only permissions defined. It's an easy fix.
Note that this endpoint is a 'POST' so it requires CREATE permission https://github.com/ceph/ceph/blob/master/src/pybind/mgr/dashboard/controllers/__init__.py#L724
We can fix this by adding the `@ReadPermission` decorator to the `get_notifications_since` method or by changing this endpoit to a 'GET' (not sure if the latter breaks any prometheus integration).
Updated by Ernesto Puerta about 5 years ago
Ricardo Marques wrote:
Note that this endpoint is a 'POST' so it requires CREATE permission https://github.com/ceph/ceph/blob/master/src/pybind/mgr/dashboard/controllers/__init__.py#L724
In that case I think the proper approach is using GET (as we are neither creating nor modifying anything in that endpoint) and passing the last notification param in the query string: GET /prometheus/notifications?from=<last_notification>.
Updated by Stephan Müller about 5 years ago
- Status changed from New to Fix Under Review
- Pull request ID set to 27348
It needs to be post as we give the last notification the dashboard got, this will return only newer notifications that the given one. This reduces the request size as this is called every 5s.
Updated by Lenz Grimmer about 5 years ago
Stephan Müller wrote:
It needs to be post as we give the last notification the dashboard got, this will return only newer notifications that the given one. This reduces the request size as this is called every 5s.
The problem with using a POST request here is that it also floods the audit log, if dashboard auditing is enabled (the auditing code logs all requests except for GET, IIRC).
Updated by Stephan Müller about 5 years ago
In the PR that will be merged soon, I'm using GET now.
Updated by Lenz Grimmer about 5 years ago
- Translation missing: en.field_tag_list set to usability
- Tags deleted (
usability)
Updated by Lenz Grimmer about 5 years ago
- Status changed from Fix Under Review to Pending Backport
- Target version set to v15.0.0
Updated by Nathan Cutler about 5 years ago
- Copied to Backport #39240: nautilus: mgr/dashboard: "readonly user" can't see any pages added
Updated by Ricardo Marques about 5 years ago
- Status changed from Pending Backport to Resolved
Updated by Ernesto Puerta about 3 years ago
- Project changed from mgr to Dashboard
- Category changed from 145 to Security & Auth