Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Artifact owner is not validated when using createArtifact resource to update artifacts #3949

Closed
kiest opened this issue Nov 7, 2023 · 2 comments · Fixed by #5635
Closed

Artifact owner is not validated when using createArtifact resource to update artifacts #3949

kiest opened this issue Nov 7, 2023 · 2 comments · Fixed by #5635
Labels
area/rest-api area/storage type/bug Something isn't working

Comments

@kiest
Copy link

kiest commented Nov 7, 2023

Description

Registry Version: latest
Persistence type: sql, in-memory

It is possible to update schema owned by another principal via createArtifact API resource (POST /groups/{groupId}/artifacts) with query parameter ifExists=RETURN_OR_UPDATE even when owner-only authorization (OBAC) is enabled.

I think I found the root cause of this issue:

Environment

Running Apicurio Registry in k8s cluster. Here are some configuration properties that are relevant to this problem:

REGISTRY_AUTH_ENABLED  = true
REGISTRY_AUTH_OBAC_ENABLED = true
KEYCLOAK_URL = <redacted>
KEYCLOAK_REALM = <redacted>

We are using both Apicurio Maven plugin and REST API for creating and updating schemas in Apicurio Registry.

Steps to Reproduce

  1. Configure Apicurio Registry to have both auth and OBAC enabled
  2. Create an Avro schema and publish it with Apicurio Maven plugin using principal A
  3. Change the schema and run Maven plugin with different principal B
  4. The schema is successfully updated, even though OBAC should have prevented it

Expected vs Actual Behaviour

Apicurio Registry should check artifact owner even when updating it via createArtifact API resource with ifExists=RETURN_OR_UPDATE when OBAC is enabled. Currently Apicurio Registry allows updating artifacts this way with different principal.

Logs

2023-11-06 15:25:25 INFO <_> [io.apicurio.common.apps.logging.audit.AuditLogService] (executor-thread-54) apicurio.audit action="createArtifact" result="success" src_ip="<redacted>" if_exists="RETURN_OR_UPDATE" artifact_type="AVRO" name_encoded="<redacted>" canonical="true" artifact_id="<redacted same id>" principal_id="<redacted principal A>"

2023-11-06 15:42:55 INFO <_> [io.apicurio.common.apps.logging.audit.AuditLogService] (executor-thread-72) apicurio.audit action="createArtifact" result="success" src_ip="<redacted>" if_exists="RETURN_OR_UPDATE" artifact_type="AVRO" name_encoded="<redacted>" canonical="true" artifact_id="<redacted same id>" principal_id="<redacted principal B>"
@kiest kiest added the type/bug Something isn't working label Nov 7, 2023
@carlesarnal
Copy link
Member

I have one comment about the version before trying to reproduce this. You mention latest, but we only publish latest-release and latest-snapshot. Do you mind confirming that this is happening in those?

@kiest
Copy link
Author

kiest commented Dec 15, 2023

I was using latest-release when testing this issue (back in November 2023). Also was reproducible with 2.4.2.Final

@carlesarnal carlesarnal linked a pull request Dec 2, 2024 that will close this issue
Fix non-owner can update artifact #5635
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/rest-api area/storage type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix non-owner can update artifact carlesarnal/apicurio-registry
2 participants
@kiest @carlesarnal