Bug #39086: mgr/dashboard: "readonly user" can't see any pages - Dashboard - Ceph

Custom queries

Backports
Backports: nautilus
Bug queue
Bug queue (last 30 days)
Bug triage
Clean-ups
Crash queue
Crash triage
Dashboard bugs (last 180 days)
Dashboard Bugs (NEW) in the last 30 days (except accessibility)
Dashboard CDS
Dashboard Sprint 23
Feedback
Low Hanging Fruit
Monitoring
My issues
Need Review
Pending backports
Product Backlog Scrub
Quincy: backlog
Rook - Dashboard Integration bugs
Telemetry
Test Failures

Actions

Copy link

Bug #39086

closed

mgr/dashboard: "readonly user" can't see any pages

Added by Lenz Grimmer about 5 years ago. Updated about 3 years ago.

Status:

Resolved

Priority:

High

Assignee:

Stephan Müller

Category:

Security & Auth

Target version:

Ceph - v15.0.0

% Done:

Source:

Tags:

Backport:

nautilus

Regression:

Yes

Severity:

3 - minor

Reviewed:

Affected Versions:

Ceph - v14.2.0

ceph-qa-suite:

Pull request ID:

27348

Crash signature (v1):

Crash signature (v2):

Description

When logging in as a user with the "readonly" role, the dashboard hides all pages with the message "Sorry, you are not allowed to see what you were looking for." after a few seconds (the refresh interval?). Also, a toasty error message appears that shown as "403 Forbidden" error (see screenshot attached).

Files

Peek 2019-04-02 23-33.gif (564 KB) Peek 2019-04-02 23-33.gif

Lenz Grimmer, 04/03/2019 03:38 AM

Related issues 1 (0 open — 1 closed)

Copied to Dashboard - Backport #39240: nautilus: mgr/dashboard: "readonly user" can't see any pages

Resolved

Stephan Müller

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Ernesto Puerta about 5 years ago

Category changed from 132 to 145

The 403 is triggered by the /api/prometheus/get_notifications_since endpoint (this can be easily seen in the browser inspector -> network tab). It seems that PROMETHEUS scope has no any READ-only permissions defined. It's an easy fix.

Actions

Copy link

Updated by Ricardo Marques about 5 years ago

Ernesto Puerta wrote:

The 403 is triggered by the /api/prometheus/get_notifications_since endpoint (this can be easily seen in the browser inspector -> network tab). It seems that PROMETHEUS scope has no any READ-only permissions defined. It's an easy fix.

Note that this endpoint is a 'POST' so it requires CREATE permission https://github.com/ceph/ceph/blob/master/src/pybind/mgr/dashboard/controllers/__init__.py#L724

We can fix this by adding the `@ReadPermission` decorator to the `get_notifications_since` method or by changing this endpoit to a 'GET' (not sure if the latter breaks any prometheus integration).

Actions

Copy link

Updated by Ricardo Marques about 5 years ago

Assignee set to Stephan Müller

Actions

Copy link

Updated by Ernesto Puerta about 5 years ago

Ricardo Marques wrote:

Note that this endpoint is a 'POST' so it requires CREATE permission https://github.com/ceph/ceph/blob/master/src/pybind/mgr/dashboard/controllers/__init__.py#L724

In that case I think the proper approach is using GET (as we are neither creating nor modifying anything in that endpoint) and passing the last notification param in the query string: GET /prometheus/notifications?from=<last_notification>.

Actions

Copy link

Updated by Stephan Müller about 5 years ago

Status changed from New to Fix Under Review
Pull request ID set to 27348

It needs to be post as we give the last notification the dashboard got, this will return only newer notifications that the given one. This reduces the request size as this is called every 5s.

Actions

Copy link

Updated by Lenz Grimmer about 5 years ago

Stephan Müller wrote:

It needs to be post as we give the last notification the dashboard got, this will return only newer notifications that the given one. This reduces the request size as this is called every 5s.

The problem with using a POST request here is that it also floods the audit log, if dashboard auditing is enabled (the auditing code logs all requests except for GET, IIRC).

Actions

Copy link