Updating to Marathon(-ldap) 1.3 broke modal windows #6
Comments
|
Hi @DGollings 1.3 Only works with Marathon version 1.3+ which was recently release. If you are not running Marathon 1.3 you must use the Marathon-LDAP 1.1 release https://github.com/ContainX/marathon-ldap/releases/tag/1.1 Could you confirm your Marathon version |
|
Marathon 1.3 and Marathon-ldap 1.3 Also, I 'fixed' it like this: |
|
diff --git a/src/main/java/io/containx/marathon/plugin/auth/LDAPAuthorizor.java b/src/main/java/io/containx/marathon/plugin/auth/LDAPAuthorizor.java
**+ return true;
**+ VIEW_RESOURCE(ViewResource$.MODULE$, PermissionType.VIEW, EntityType.APP),
|
|
Ok thanks! Did you want to just submit this in a PR? |
|
No, don't really consider it a fix (I have no idea what I'm doing) :) I think it's secure-ish, but mostly it works which was good enough for now. (I think the *_RESOURCE stuff is close enough, but I doubt return true is acceptable) |
|
@DGollings since your on source, would you mind testing this fix. The solution I did was to add the types missing from the plugin differences between 1.1 and 1.3 so we don't throw the IllegalArg. This sounded like the root cause and if it works will keep security in tact as it was prior. |
|
See my 'fix', I tried the same but it didnt work. Something needs to be changed in LDAPAuthorizor.java as well but I couldnt't (quickly) figure out what. I think VIEW_RESOURCE is an instanceof something else? Haven't tested it, but considering I tried the same I doubt commit 32aa110 is enough. Did you change more? |
|
You are correct. I setup an environment running Marathon 1.3.2 and was able to reproduce this. Unfortunately when its of type ViewResource the actual resource is a SystemConfig which contains no PathId info, Prior calls validate you have rights to even make the "modal" action so in this scenario I return true. Modals are now working for resources we are granted to see. Just update the 1.3 release with the fixes. You can grab that jar and test if you wish. Let me know if it works in your environment |
|
Fixed, thanks a lot |
Updated marathon and ldap, can no longer use the GUI for creating new applications or editing existing ones.
Short stacktrace:
Oct 07 14:07:48 host marathon[2197]: java.lang.IllegalArgumentException: Unknown Action: ViewResource
Oct 07 14:07:48 host marathon[2197]: at io.containx.marathon.plugin.auth.type.Action.byAction(Action.java:38)
Oct 07 14:07:48 host marathon[2197]: at io.containx.marathon.plugin.auth.LDAPAuthorizor.isAuthorized(LDAPAuthorizor.java:26)
Oct 07 14:07:48 host marathon[2197]: at mesosphere.marathon.core.event.impl.stream.HttpEventStreamServlet.isAuthorized$1(HttpEventStreamServlet.scala:78)
The text was updated successfully, but these errors were encountered: