Bug 1974685
| Summary: | Non-admin user can not revoke user access token, attempt ends with 404 | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Ondřej Ezr <oezr> |
| Component: | Users & Roles | Assignee: | Ondřej Ezr <oezr> |
| Status: | CLOSED ERRATA | QA Contact: | Akhil Jha <akjha> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.10.0 | CC: | inecas, mhulan, oezr, osousa, sshtein |
| Target Milestone: | 6.10.0 | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | foreman-2.5.1 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-16 14:12:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ondřej Ezr
2021-06-22 10:15:03 UTC
Created from redmine issue https://projects.theforeman.org/issues/32826 Upstream bug assigned to oezr Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/32826 has been resolved. Failed QA
@Satellite 6.10.0 snap 13
foreman-2.5.2.4-1.el7sat.noarch
satellite-6.10.0-0.6.beta.el7sat.noarch
Following the exact same steps from the reproducer, being logged in as a non-admin user, a token gets created, but I am getting "Could not revoke Token: Error: Request failed with status code 404".
==> /var/log/foreman/production.log <==
2021-08-20T07:34:34 [I|app|72b590ea] Started DELETE "/api/v2/users/15-read_user/personal_access_tokens/6" for 10.34.131.179 at 2021-08-20 07:34:34 -0400
2021-08-20T07:34:34 [I|app|72b590ea] Processing by Api::V2::PersonalAccessTokensController#destroy as JSON
2021-08-20T07:34:34 [I|app|72b590ea] Parameters: {"apiv"=>"v2", "user_id"=>"15-read_user", "id"=>"6"}
2021-08-20T07:34:34 [I|app|72b590ea] ActiveRecord::RecordNotFound (ActiveRecord::RecordNotFound)
2021-08-20T07:34:34 [I|app|72b590ea] Rendering api/v2/errors/not_found.json.rabl within api/v2/layouts/error_layout
2021-08-20T07:34:34 [I|app|72b590ea] Rendered api/v2/errors/not_found.json.rabl within api/v2/layouts/error_layout (Duration: 8.1ms | Allocations: 7539)
2021-08-20T07:34:34 [I|app|72b590ea] Completed 404 Not Found in 98ms (Views: 13.3ms | ActiveRecord: 11.5ms | Allocations: 39797)
Non-admin user is not able to list the existing tokens if he goes off the page and opens the Edit user page again. BZ1996048 filed for this issue.
If I add `view_users` permission to the non-admin user, using hammer (API) as the non-admin user, I can see the tokens listed:
# hammer user access-token list --user read_user --search "name = fdsf"
---|------|--------|-----------
ID | NAME | ACTIVE | EXPIRES AT
---|------|--------|-----------
3 | fdsf | yes |
---|------|--------|-----------
# hammer user access-token revoke --user read_user --id 3
Could not revoke personal access token:
Resource personal_access_token not found by id '3'
The non-admin user having the `edit_users` permission assigned is able to revoke the token:
# hammer user access-token revoke --user read_user --id 3
Personal access token [fdsf] revoked.
However, adding `edit_users` allows non-admin users to edit the admin's username for example. This makes the Personal Access Tokens feature unusable in environments where they care about security or strictly enforce RBAC.
Verified. Satellite 6.10.0-21.0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4702 |