Project

General

Profile

Bug #39086

mgr/dashboard: "readonly user" can't see any pages

Added by Lenz Grimmer 7 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
High
Category:
dashboard/auth-sso
Target version:
Start date:
04/03/2019
Due date:
% Done:

0%

Source:
Tags:
Backport:
nautilus
Regression:
Yes
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

When logging in as a user with the "readonly" role, the dashboard hides all pages with the message "Sorry, you are not allowed to see what you were looking for." after a few seconds (the refresh interval?). Also, a toasty error message appears that shown as "403 Forbidden" error (see screenshot attached).

Peek 2019-04-02 23-33.gif View (564 KB) Lenz Grimmer, 04/03/2019 03:38 AM


Related issues

Copied to mgr - Backport #39240: nautilus: mgr/dashboard: "readonly user" can't see any pages Resolved

History

#1 Updated by Ernesto Puerta 7 months ago

  • Category changed from dashboard/general to dashboard/auth-sso

The 403 is triggered by the /api/prometheus/get_notifications_since endpoint (this can be easily seen in the browser inspector -> network tab). It seems that PROMETHEUS scope has no any READ-only permissions defined. It's an easy fix.

#2 Updated by Ricardo Marques 7 months ago

Ernesto Puerta wrote:

The 403 is triggered by the /api/prometheus/get_notifications_since endpoint (this can be easily seen in the browser inspector -> network tab). It seems that PROMETHEUS scope has no any READ-only permissions defined. It's an easy fix.

Note that this endpoint is a 'POST' so it requires CREATE permission https://github.com/ceph/ceph/blob/master/src/pybind/mgr/dashboard/controllers/__init__.py#L724

We can fix this by adding the `@ReadPermission` decorator to the `get_notifications_since` method or by changing this endpoit to a 'GET' (not sure if the latter breaks any prometheus integration).

#3 Updated by Ricardo Marques 7 months ago

  • Assignee set to Stephan Müller

#4 Updated by Ernesto Puerta 7 months ago

Ricardo Marques wrote:

Note that this endpoint is a 'POST' so it requires CREATE permission https://github.com/ceph/ceph/blob/master/src/pybind/mgr/dashboard/controllers/__init__.py#L724

In that case I think the proper approach is using GET (as we are neither creating nor modifying anything in that endpoint) and passing the last notification param in the query string: GET /prometheus/notifications?from=<last_notification>.

#5 Updated by Stephan Müller 7 months ago

  • Status changed from New to Need Review
  • Pull request ID set to 27348

It needs to be post as we give the last notification the dashboard got, this will return only newer notifications that the given one. This reduces the request size as this is called every 5s.

#6 Updated by Lenz Grimmer 7 months ago

Stephan Müller wrote:

It needs to be post as we give the last notification the dashboard got, this will return only newer notifications that the given one. This reduces the request size as this is called every 5s.

The problem with using a POST request here is that it also floods the audit log, if dashboard auditing is enabled (the auditing code logs all requests except for GET, IIRC).

#7 Updated by Stephan Müller 7 months ago

In the PR that will be merged soon, I'm using GET now.

#8 Updated by Lenz Grimmer 7 months ago

  • Tags set to usability
  • Tags deleted (usability)

#9 Updated by Lenz Grimmer 7 months ago

  • Status changed from Need Review to Pending Backport
  • Target version set to v15.0.0

#10 Updated by Nathan Cutler 7 months ago

  • Copied to Backport #39240: nautilus: mgr/dashboard: "readonly user" can't see any pages added

#11 Updated by Ricardo Marques 6 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF