Project

General

Profile

Bug #25094

mgr/dashboard: Only list tasks that user is authorized to see

Added by Ricardo Marques over 4 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
General
Target version:
% Done:

100%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Currently all tasks are displayed, regardless of user permissions.

In the following example, user is only allowed to manage pool, but he can see an RBD task:

task-permissions.png View (15.6 KB) Ricardo Marques, 07/25/2018 10:10 AM

recent notifications.png View - View from a read-only user (22.6 KB) Tina Kallio, 11/23/2018 12:01 PM


Related issues

Related to Dashboard - Bug #36328: Roles: issues Duplicate

History

#1 Updated by Ricardo Marques about 4 years ago

#2 Updated by Ricardo Dias about 4 years ago

To fix the bug described in this issue we need to dynamically verify the user permissions and filter the task list accordingly.
We already preform dynamic checks of user permissions in other controllers, such as in "controllers/summary.py" or in "controllers/dashboard.py".

Each task has always a name, usually of the form "component/action" (e.g., "rbd/create", "pool/delete"). We can use the component name, and action name, to decide which security scope and kind of permission to use for querying the user permissions. For instance, for the task with the "rbd/create" name we should only include it the tasks list if the condition "self._has_permissions(Permission.CREATE, Scope.RBD_IMAGE)" is true.

#3 Updated by Tina Kallio about 4 years ago

  • Assignee set to Tina Kallio

#4 Updated by Tina Kallio about 4 years ago

Changes made to filter out task according to permission in task-list works.

However, if a user (regardless of permissions) log in to the same browser after another user, all events listed in "Recent notifications" from previous user are displayed. This includes but is not limited to finished tasks, see image. Note! This is not a problem when using a new browser.

Suggested to be treated seperatly, issue created:

https://tracker.ceph.com/issues/37379

#5 Updated by Tina Kallio almost 4 years ago

  • Status changed from In Progress to Fix Under Review

#6 Updated by Tatjana Dehler almost 4 years ago

  • Pull request ID set to 25426

#7 Updated by Lenz Grimmer almost 4 years ago

  • Status changed from Fix Under Review to Resolved
  • Target version set to v14.0.0

#8 Updated by Tina Kallio almost 4 years ago

  • % Done changed from 80 to 100

#9 Updated by Ernesto Puerta over 1 year ago

  • Project changed from mgr to Dashboard
  • Category changed from 132 to General

Also available in: Atom PDF