Bug #39086
mgr/dashboard: "readonly user" can't see any pages
0%
Description
When logging in as a user with the "readonly" role, the dashboard hides all pages with the message "Sorry, you are not allowed to see what you were looking for." after a few seconds (the refresh interval?). Also, a toasty error message appears that shown as "403 Forbidden" error (see screenshot attached).
Related issues
History
#1 Updated by Ernesto Puerta 11 months ago
- Category changed from dashboard/general to dashboard/auth-sso
The 403 is triggered by the /api/prometheus/get_notifications_since endpoint (this can be easily seen in the browser inspector -> network tab). It seems that PROMETHEUS scope has no any READ-only permissions defined. It's an easy fix.
#2 Updated by Ricardo Marques 11 months ago
Ernesto Puerta wrote:
The 403 is triggered by the
/api/prometheus/get_notifications_sinceendpoint (this can be easily seen in the browser inspector -> network tab). It seems that PROMETHEUS scope has no any READ-only permissions defined. It's an easy fix.
Note that this endpoint is a 'POST' so it requires CREATE permission https://github.com/ceph/ceph/blob/master/src/pybind/mgr/dashboard/controllers/__init__.py#L724
We can fix this by adding the `@ReadPermission` decorator to the `get_notifications_since` method or by changing this endpoit to a 'GET' (not sure if the latter breaks any prometheus integration).
#3 Updated by Ricardo Marques 11 months ago
- Assignee set to Stephan Müller
#4 Updated by Ernesto Puerta 11 months ago
Ricardo Marques wrote:
Note that this endpoint is a 'POST' so it requires CREATE permission https://github.com/ceph/ceph/blob/master/src/pybind/mgr/dashboard/controllers/__init__.py#L724
In that case I think the proper approach is using GET (as we are neither creating nor modifying anything in that endpoint) and passing the last notification param in the query string: GET /prometheus/notifications?from=<last_notification>.
#5 Updated by Stephan Müller 11 months ago
- Status changed from New to Fix Under Review
- Pull request ID set to 27348
It needs to be post as we give the last notification the dashboard got, this will return only newer notifications that the given one. This reduces the request size as this is called every 5s.
#6 Updated by Lenz Grimmer 11 months ago
Stephan Müller wrote:
It needs to be post as we give the last notification the dashboard got, this will return only newer notifications that the given one. This reduces the request size as this is called every 5s.
The problem with using a POST request here is that it also floods the audit log, if dashboard auditing is enabled (the auditing code logs all requests except for GET, IIRC).
#7 Updated by Stephan Müller 11 months ago
In the PR that will be merged soon, I'm using GET now.
#8 Updated by Lenz Grimmer 11 months ago
- Tags set to usability
- Tags deleted (
usability)
#9 Updated by Lenz Grimmer 11 months ago
- Status changed from Fix Under Review to Pending Backport
- Target version set to v15.0.0
#10 Updated by Nathan Cutler 11 months ago
- Copied to Backport #39240: nautilus: mgr/dashboard: "readonly user" can't see any pages added
#11 Updated by Ricardo Marques 11 months ago
- Status changed from Pending Backport to Resolved