Bug 1268830

Summary: Foreman role permission violations are not logging
Product: Red Hat Satellite Reporter: Peter Vreman <peter.vreman>
Component: Users & RolesAssignee: Ivan Necas <inecas>
Status: CLOSED ERRATA QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1.2CC: bbuckingham, bkearney, cwelton, dhlavacd, inecas, jcallaha, mhulan, orabin, peter.vreman, zhunting
Target Milestone: UnspecifiedKeywords: Reopened, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 16:51:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1122832    

Description Peter Vreman 2015-10-05 12:11:06 UTC 
Description of problem:
Related to BZ1268829 with retrieving the Facts with only the Viewer role.
There is no audit / logging that the user has too less permissions to view the facts.
The logging even shows that the user is Authorized correctly.
That the response will be empty because there is no permission is not logged.
This makes troubleshooting complex what the cause is that no facts are returned.

$ curl -s -uviewer:xxxx https://li-lc-1578.hag.hilti.com/api/v2/users/viewer | jq .roles
[
  {
    "id": 19,
    "name": "Anonymous"
  },
  {
    "id": 16,
    "name": "Viewer"
  }
]

$ curl -s -uviewer:xxxx https://li-lc-1578.hag.hilti.com//api/v2/hosts/li-lc-1443.hag.hilti.com/facts?per_page=9999 | jq .
{
  "results": {},
  "sort": {
    "order": null,
    "by": null
  },
  "search": " host = li-lc-1443.hag.hilti.com",
  "per_page": 9999,
  "page": 1,
  "subtotal": 0,
  "total": 0
}

2015-10-05 11:46:07 [I] Processing by Api::V2::FactValuesController#index as JSON
2015-10-05 11:46:07 [I]   Parameters: {"per_page"=>"9999", "apiv"=>"v2", "host_id"=>"li-lc-1443.hag.hilti.com"}
2015-10-05 11:46:07 [I] Authorized user viewer(viewer )
2015-10-05 11:46:07 [I]   Rendered api/v2/fact_values/index.json.rabl within api/v2/layouts/index_layout (3.0ms)
2015-10-05 11:46:07 [I] Completed 200 OK in 341ms (Views: 27.8ms | ActiveRecord: 47.8ms)



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Query facts using a User with only the Viewer role
2.
3.

Actual results:
No logging that the user has to less permissions

Expected results:
Logging that the user has no permissions to view the facts

Additional info:
Comment 2 Peter Vreman 2015-10-05 14:21:36 UTC 
I just found that Foreman 1.9 looks like it has this feature with the granualary logging include 'permissions':

--------
Foreman debugging

Edit /etc/foreman/settings.yaml and either uncomment or add these lines:

:logging:
  :level: debug

And reload Foreman:

touch ~foreman/tmp/restart.txt

Enabling more specific logs

More types of log messages can be enabled from settings.yaml:

    app - web requests and all general application logs (default: true)
    ldap - high level LDAP queries (e.g. find users in group) and LDAP operations performed (default: false)
    permissions - evaluation of user roles, filters and permissions when loading pages (default: false)
    sql - SQL queries made through Rails ActiveRecord, only debug (default: true)

Uncomment or add a :loggers block to enable or disable loggers:

:loggers:
  :ldap:
    :enabled: true
--------
Comment 3 Bryan Kearney 2015-10-07 20:53:11 UTC 
So 1.9 (which will be included in 6.2) will meet the requirements of this bug?
Comment 4 Peter Vreman 2015-10-08 06:47:28 UTC 
Correct, based on the documentation of Foreman 1.9 it will meet the requirements of this bug.
This bug is only minor and needed when you have to troubleshoot a misconfiguration. Target 6.2 is ok for me.
Comment 6 jcallaha 2016-07-12 19:02:40 UTC 
Failed QA in Satellite 6.2 Beta Snap 19.1

The logs still do not note when a user is trying to perform an operation they are not authorized to. For example, compare the two log entries below. The second entry does not explicitly log that the user is unauthorized to perform the action they are trying.

 1
---
[I] Started GET "/api/v2/hosts/5" for 10.10.58.113 at 2016-07-12 14:36:56 -0400
[I] Processing by Api::V2::HostsController#show as JSON
[I]   Parameters: {"apiv"=>"v2", "id"=>"5", :host=>{}}
[I] Authorized user admin(Admin User)

 2
---
[I] Started GET "/api/v2/hosts/5" for 10.10.58.113 at 2016-07-12 14:38:03 -0400
[I] Processing by Api::V2::HostsController#show as JSON
[I]   Parameters: {"apiv"=>"v2", "id"=>"5", :host=>{}}
[I] Authorized user viewer(viewer)
[I]   Rendered api/v2/errors/access_denied.json.rabl within api/v2/layouts/error_layout (0.9ms)
[I] Filter chain halted as :authorize rendered or redirected
[I] Completed 403 Forbidden in 58ms (Views: 4.6ms | ActiveRecord: 11.6ms)



/etc/foreman/settings.yaml

...
# Log settings for the current environment can be adjusted by adding them
# here. For example, if you want to increase the log level.
:logging:
  :level: debug

# Individual logging types can be toggled on/off here
:loggers:
  :ldap:
    :enabled: true
  :permissions:
    :enabled: true
Comment 7 orabin 2016-07-13 08:36:57 UTC 
Hi,

In the output of the log from comment 6 the user without authorization gets: Completed 403 Forbidden which does indicate there is an authorization issue.

What I understand from the description of the bug is that the problem is only when everything in the log looks good (Completed 200 OK) but you don't see the full output because of permissions.
Does that case work with the settings change?
Comment 8 jcallaha 2016-07-15 12:41:13 UTC 
The question may be more suited for the reporter. While 403's could potentially be considered to be showing when a user doesn't have permissions, I would personally like to have seen a more explicit log of a role permissions violation. The text returned by the API is a great example of such a message. Is it possible to have this response logged as well, like normal responses are?

{
  "error": {
    "message": "Access denied",
    "details": "Missing one of the required permissions: view_hosts"
  }
}
Comment 9 Peter Vreman 2016-07-15 13:24:15 UTC 
As a UI User I expect a clean error message instead of the content being show. This should be all in the same UI web page and not a generic Forbidden page. Because as a User i might be continueing to click on the an other content to be shown.
Comment 11 errata-xmlrpc 2016-07-27 08:57:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500
Comment 14 Ivan Necas 2017-02-07 12:11:25 UTC 
Created redmine issue http://projects.theforeman.org/issues/18410 from this bug
Comment 15 Ivan Necas 2017-02-07 12:17:42 UTC 
With permissions logging enabled, the denials were still not logged fully in API. In fix https://github.com/theforeman/foreman/pull/4257, I've added logging of reason for permissions denials for API + changed the level
in UI logging from debug to info, as I believe this information is on
different level than other debug info from permissions.
Comment 18 Zach Huntington-Meath 2017-08-16 18:56:49 UTC 
I verified this on on snap-11.0 the steps I took were

1. Created a user with only viewer roles

2.

curl -s -u tester:changeme https://ibm-ls21-04.rhts.eng.bos.redhat.com/api/v2/hosts/li-lc-1443.hag.hilti.com/facts?per_page=9999 
{
  "total": 0,
  "subtotal": 0,
  "page": 1,
  "per_page": 9999,
  "search": " host = li-lc-1443.hag.hilti.com",
  "sort": {
    "by": null,
    "order": null
  },
  "results": {}
}


3. Then I checked in the production log and found:

2017-08-16 14:53:52 31a4650f [app] [I] Current user: tester (regular user)
2017-08-16 14:53:52 31a4650f [app] [I] Authorized user tester(testy )
2017-08-16 14:53:52 31a4650f [app] [I] Current user: tester (regular user)
Comment 19 Satellite Program 2018-02-21 16:51:07 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> 
> For information on the advisory, and where to find the updated files, follow the link below.
> 
> If the solution does not work for you, open a new bug report.
> 
> https://access.redhat.com/errata/RHSA-2018:0336