Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Fix] Wrong permissions on edit CDB #2665

Merged
merged 23 commits into from
Dec 18, 2020

Conversation

gabiwassan
Copy link
Contributor

@gabiwassan gabiwassan commented Nov 27, 2020

Hi team,

This PR resolves:

  • Wrong permissions on edit CDB List with Cluster and Manager context configuration server.
  • Added action to get context server and status.
  • Context server is dynamically added to the CDBList edit button, add new, and delete.
    Note: Policy cluster:status is necessary to get configuration context manager or cluster

Issue #2657

@gabiwassan gabiwassan changed the title [Fix] Wrong permissions on edit CDB #2657 [Fix] Wrong permissions on edit CDB Nov 27, 2020
@gabiwassan gabiwassan requested a review from frankeros November 27, 2020 21:33
@gabiwassan gabiwassan requested a review from Desvelao November 30, 2020 17:17
Copy link
Contributor

@jsanchez91 jsanchez91 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have conducted tests with these users and roles using X-Pack Security:

  • elastic: administrator
  • test_user: readonly, cluster_readonly

This is the result I have obtained in both tests

image

@gabiwassan
Copy link
Contributor Author

I have conducted tests with these users and roles using X-Pack Security:

  • elastic: administrator
  • test_user: readonly, cluster_readonly

This is the result I have obtained in both tests

image

Thanks, I'm checking it right now.

@frankeros
Copy link
Contributor

frankeros commented Dec 10, 2020

Hi @gabiwassan

Testing this branch I found this bug when you set these policies to the role

image

You're able to see all files but trying to access one of them throw this error
image

The same error occurs
image



With these policies

image
when you try to add new lists
image
It requires a specific path (I'm not sure if it is a bug)
Screenshot from 2020-12-10 10-02-26

},
{
action: `${((this.props || {}).clusterStatus || {}).contextConfigServer}:read`,
resource: `file:path:/etc/${this.props.msg}`,
Copy link
Member

@Desvelao Desvelao Dec 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it be the section variable instead this.props.msg? I checked the code and didn't found where it is coming from.

},
{
action: `${((this.props || {}).clusterStatus || {}).contextConfigServer}:read_file`,
resource: `file:path:/etc/${this.props.msg}`,
Copy link
Member

@Desvelao Desvelao Dec 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it be the section variable instead this.props.msg? I checked the code and didn't found where it is coming from.

@Desvelao
Copy link
Member

Desvelao commented Dec 10, 2020

I tested the PR and found the next problem:

  • Logged with deafult admin user in Open Distro, I foudn this problem in the Management/Rules section:
    image

@Desvelao
Copy link
Member

I don't think we need check the permissions here, allowing edit/remove items of the list.
image
image

I think only the Save button is enough to do the validation to upload the file.

I found a problem using the default admin user that has the default administrator role. The Save button is disabled because the required resource is not included in the action that has this role.

image
image

Maybe modify the resource to node:id:* (Although the file should really have to be uploaded to the master node of the cluster, i mean the resource should be node:id:<master_node_id> instead node:id:* to be more exactly)

@gabiwassan gabiwassan requested a review from Desvelao December 10, 2020 21:02
@frankeros
Copy link
Contributor

Testing the new commits I found these two bugs

  • When the user has permissions to a specific file and permissions to upload_file
    image
    and try to save a new list file gets this error
    image
    but the new item is created anyway

  • When the user (any with access to this action) tries to export a list detail, gets this error
    image

code: 3034
message: "3034 - An error occurred fetching data from the Wazuh API : Extra query parameter(s) path not in spec"
statusCode: 500

Copy link
Contributor

@frankeros frankeros left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great job @gabiwassan!! 👏 👏

@gabiwassan
Copy link
Contributor Author

Testing the new commits I found these two bugs

  • When the user has permissions to a specific file and permissions to upload_file
    image
    and try to save a new list file gets this error
    image
    but the new item is created anyway
  • When the user (any with access to this action) tries to export a list detail, gets this error
    image
code: 3034
message: "3034 - An error occurred fetching data from the Wazuh API : Extra query parameter(s) path not in spec"
statusCode: 500

The following issue was created #2692 for error 500

Copy link
Member

@Desvelao Desvelao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Desvelao Desvelao removed the request for review from jsanchez91 December 18, 2020 10:32
@gabiwassan gabiwassan merged commit 4df6d4a into 4.0-7.9 Dec 18, 2020
@gabiwassan gabiwassan deleted the fix/2657-wrong-permissions-on-edit-cdb branch December 18, 2020 11:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants