Bug 1268830
Summary: | Foreman role permission violations are not logging | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Peter Vreman <peter.vreman> |
Component: | Users & Roles | Assignee: | Ivan Necas <inecas> |
Status: | CLOSED ERRATA | QA Contact: | Katello QA List <katello-qa-list> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.1.2 | CC: | bbuckingham, bkearney, cwelton, dhlavacd, inecas, jcallaha, mhulan, orabin, peter.vreman, zhunting |
Target Milestone: | Unspecified | Keywords: | Reopened, Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-02-21 16:51:07 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1122832 |
Description
Peter Vreman
2015-10-05 12:11:06 UTC
I just found that Foreman 1.9 looks like it has this feature with the granualary logging include 'permissions': -------- Foreman debugging Edit /etc/foreman/settings.yaml and either uncomment or add these lines: :logging: :level: debug And reload Foreman: touch ~foreman/tmp/restart.txt Enabling more specific logs More types of log messages can be enabled from settings.yaml: app - web requests and all general application logs (default: true) ldap - high level LDAP queries (e.g. find users in group) and LDAP operations performed (default: false) permissions - evaluation of user roles, filters and permissions when loading pages (default: false) sql - SQL queries made through Rails ActiveRecord, only debug (default: true) Uncomment or add a :loggers block to enable or disable loggers: :loggers: :ldap: :enabled: true -------- So 1.9 (which will be included in 6.2) will meet the requirements of this bug? Correct, based on the documentation of Foreman 1.9 it will meet the requirements of this bug. This bug is only minor and needed when you have to troubleshoot a misconfiguration. Target 6.2 is ok for me. Failed QA in Satellite 6.2 Beta Snap 19.1 The logs still do not note when a user is trying to perform an operation they are not authorized to. For example, compare the two log entries below. The second entry does not explicitly log that the user is unauthorized to perform the action they are trying. 1 --- [I] Started GET "/api/v2/hosts/5" for 10.10.58.113 at 2016-07-12 14:36:56 -0400 [I] Processing by Api::V2::HostsController#show as JSON [I] Parameters: {"apiv"=>"v2", "id"=>"5", :host=>{}} [I] Authorized user admin(Admin User) 2 --- [I] Started GET "/api/v2/hosts/5" for 10.10.58.113 at 2016-07-12 14:38:03 -0400 [I] Processing by Api::V2::HostsController#show as JSON [I] Parameters: {"apiv"=>"v2", "id"=>"5", :host=>{}} [I] Authorized user viewer(viewer) [I] Rendered api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout (0.9ms) [I] Filter chain halted as :authorize rendered or redirected [I] Completed 403 Forbidden in 58ms (Views: 4.6ms | ActiveRecord: 11.6ms) /etc/foreman/settings.yaml ... # Log settings for the current environment can be adjusted by adding them # here. For example, if you want to increase the log level. :logging: :level: debug # Individual logging types can be toggled on/off here :loggers: :ldap: :enabled: true :permissions: :enabled: true Hi, In the output of the log from comment 6 the user without authorization gets: Completed 403 Forbidden which does indicate there is an authorization issue. What I understand from the description of the bug is that the problem is only when everything in the log looks good (Completed 200 OK) but you don't see the full output because of permissions. Does that case work with the settings change? The question may be more suited for the reporter. While 403's could potentially be considered to be showing when a user doesn't have permissions, I would personally like to have seen a more explicit log of a role permissions violation. The text returned by the API is a great example of such a message. Is it possible to have this response logged as well, like normal responses are? { "error": { "message": "Access denied", "details": "Missing one of the required permissions: view_hosts" } } As a UI User I expect a clean error message instead of the content being show. This should be all in the same UI web page and not a generic Forbidden page. Because as a User i might be continueing to click on the an other content to be shown. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1500 Created redmine issue http://projects.theforeman.org/issues/18410 from this bug With permissions logging enabled, the denials were still not logged fully in API. In fix https://github.com/theforeman/foreman/pull/4257, I've added logging of reason for permissions denials for API + changed the level in UI logging from debug to info, as I believe this information is on different level than other debug info from permissions. I verified this on on snap-11.0 the steps I took were 1. Created a user with only viewer roles 2. curl -s -u tester:changeme https://ibm-ls21-04.rhts.eng.bos.redhat.com/api/v2/hosts/li-lc-1443.hag.hilti.com/facts?per_page=9999 { "total": 0, "subtotal": 0, "page": 1, "per_page": 9999, "search": " host = li-lc-1443.hag.hilti.com", "sort": { "by": null, "order": null }, "results": {} } 3. Then I checked in the production log and found: 2017-08-16 14:53:52 31a4650f [app] [I] Current user: tester (regular user) 2017-08-16 14:53:52 31a4650f [app] [I] Authorized user tester(testy ) 2017-08-16 14:53:52 31a4650f [app] [I] Current user: tester (regular user) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
>
> For information on the advisory, and where to find the updated files, follow the link below.
>
> If the solution does not work for you, open a new bug report.
>
> https://access.redhat.com/errata/RHSA-2018:0336
|