Bug #39086
closed
mgr/dashboard: "readonly user" can't see any pages
Added by Lenz Grimmer about 5 years ago.
Updated about 3 years ago.
Description
When logging in as a user with the "readonly" role, the dashboard hides all pages with the message "Sorry, you are not allowed to see what you were looking for." after a few seconds (the refresh interval?). Also, a toasty error message appears that shown as "403 Forbidden" error (see screenshot attached).
Files
- Category changed from 132 to 145
The 403 is triggered by the /api/prometheus/get_notifications_since
endpoint (this can be easily seen in the browser inspector -> network tab). It seems that PROMETHEUS scope has no any READ-only permissions defined. It's an easy fix.
Ernesto Puerta wrote:
The 403 is triggered by the /api/prometheus/get_notifications_since
endpoint (this can be easily seen in the browser inspector -> network tab). It seems that PROMETHEUS scope has no any READ-only permissions defined. It's an easy fix.
Note that this endpoint is a 'POST' so it requires CREATE permission https://github.com/ceph/ceph/blob/master/src/pybind/mgr/dashboard/controllers/__init__.py#L724
We can fix this by adding the `@ReadPermission` decorator to the `get_notifications_since` method or by changing this endpoit to a 'GET' (not sure if the latter breaks any prometheus integration).
- Assignee set to Stephan Müller
- Status changed from New to Fix Under Review
- Pull request ID set to 27348
It needs to be post as we give the last notification the dashboard got, this will return only newer notifications that the given one. This reduces the request size as this is called every 5s.
Stephan Müller wrote:
It needs to be post as we give the last notification the dashboard got, this will return only newer notifications that the given one. This reduces the request size as this is called every 5s.
The problem with using a POST request here is that it also floods the audit log, if dashboard auditing is enabled (the auditing code logs all requests except for GET, IIRC).
In the PR that will be merged soon, I'm using GET now.
- Translation missing: en.field_tag_list set to usability
- Tags deleted (
usability)
- Status changed from Fix Under Review to Pending Backport
- Target version set to v15.0.0
- Copied to Backport #39240: nautilus: mgr/dashboard: "readonly user" can't see any pages added
- Status changed from Pending Backport to Resolved
- Project changed from mgr to Dashboard
- Category changed from 145 to Security & Auth
Also available in: Atom
PDF