400 Bad Request trying to grant permissions to client when user has same name #111
Comments
|
|
@marcparadise I'm pretty sure this one is not covered by the keys work. The actor in question here isn't the one making the request so the disambiguation strategy of the key work (figuring out the actor by looking at what key auth'd) doesn't apply. |
|
@jkeiser - Did you try to PUT to the |
|
Okay, I did some more digging here today, and regardless of the URLs put above, the premise is still true - you get a Testing this out locally, I get the following log message from |
|
And I've located the code that has an obvious bug in it here: convert_actor_names_to_ids(Names, OrgId) ->
ClientIds = oc_chef_group:find_client_authz_ids(Names, OrgId,
fun chef_sql:select_rows/1),
UserIds = oc_chef_group:find_user_authz_ids(Names, fun chef_sql:select_rows/1),
ClientIds ++ UserIds.
names_to_ids(Ace, OrgId) ->
ActorNames = ej:get({<<"actors">>}, Ace),
GroupNames = ej:get({<<"groups">>}, Ace),
ActorIds = convert_actor_names_to_ids(ActorNames, OrgId),
% Check to make sure everything got converted; if something is missing,
% there was an invalid actor or group name in the request body
case length(ActorNames) == length(ActorIds) of
false ->
throw(bad_actor);
_ ->
%% the rest doesn't matterIf the length of authz ids for actors is different from the length of plaintext names in the list, then we return |
|
+1, just ran into this. |
marcparadise
pushed a commit
that referenced
this issue
Aug 18, 2016
This addresses three long-standing issues: 1. when a user exists in the Chef Server, it was not possible to add a client to an object's ACL if that client had the same name. The logic that retrieved actors based on names obeyed org constraints for clients, but looked at the global users list without consideration for whether or not the users were members of the organization. This has been corrected, so that the presence of a user anywhere in the system can no longer block a same-named client from being added to an object's ACL. 2. when an actor being added does not exist or is not in the organization, the request would fail with a 400 'missing/invalid actor' message. It would not give any indication of which actor(s) caused a problem. This has been corrected, and the error message now includes the list of actor(s) that could not be added. 3. when an actor being added exists as both an org client and a user, the same "400 missing/invalid actor" message would be sent. Occurrences of this will be reduced now that we restrict the search to users in the org, but can still occur if an org-user shares a name with a client. We have changed this to reply with "422 (Unprocessable Entity)". The error message explains that the actor name(s) are ambiguous and provides the list of names. Further updates will provide a means to The next round of updates will expand the acl API to accept and provide `clients` and `users` attributes. Using those attributes instead of `actors` when updating ACLs will give a workaround for the scenario described above (3) and will be the preferred method for updating ACLs via the API.
marcparadise
pushed a commit
that referenced
this issue
Aug 18, 2016
This addresses three long-standing issues: 1. when a user exists in the Chef Server, it was not possible to add a client to an object's ACL if that client had the same name. The logic that retrieved actors based on names obeyed org constraints for clients, but looked at the global users list without consideration for whether or not the users were members of the organization. This has been corrected, so that the presence of a user anywhere in the system can no longer block a same-named client from being added to an object's ACL. 2. when an actor being added does not exist or is not in the organization, the request would fail with a 400 'missing/invalid actor' message. It would not give any indication of which actor(s) caused a problem. This has been corrected, and the error message now includes the list of actor(s) that could not be added. 3. when an actor being added exists as both an org client and a user, the same "400 missing/invalid actor" message would be sent. Occurrences of this will be reduced now that we restrict the search to users in the org, but can still occur if an org-user shares a name with a client. We have changed this to reply with "422 (Unprocessable Entity)". The error message explains that the actor name(s) are ambiguous and provides the list of names. Further updates will provide a means to The next round of updates will expand the acl API to accept and provide `clients` and `users` attributes. Using those attributes instead of `actors` when updating ACLs will give a workaround for the scenario described above (3) and will be the preferred method for updating ACLs via the API.
marcparadise
pushed a commit
that referenced
this issue
Aug 18, 2016
This addresses three long-standing issues: 1. when a user exists in the Chef Server, it was not possible to add a client to an object's ACL if that client had the same name. The logic that retrieved actors based on names obeyed org constraints for clients, but looked at the global users list without consideration for whether or not the users were members of the organization. This has been corrected, so that the presence of a user anywhere in the system can no longer block a same-named client from being added to an object's ACL. 2. when an actor being added does not exist or is not in the organization, the request would fail with a 400 'missing/invalid actor' message. It would not give any indication of which actor(s) caused a problem. This has been corrected, and the error message now includes the list of actor(s) that could not be added. 3. when an actor being added exists as both an org client and a user, the same "400 missing/invalid actor" message would be sent. Occurrences of this will be reduced now that we restrict the search to users in the org, but can still occur if an org-user shares a name with a client. We have changed this to reply with "422 (Unprocessable Entity)". The error message explains that the actor name(s) are ambiguous and provides the list of names. Further updates will provide a means to The next round of updates will expand the acl API to accept and provide `clients` and `users` attributes. Using those attributes instead of `actors` when updating ACLs will give a workaround for the scenario described above (3) and will be the preferred method for updating ACLs via the API.
marcparadise
pushed a commit
that referenced
this issue
Aug 18, 2016
This addresses three long-standing issues: 1. when a user exists in the Chef Server, it was not possible to add a client to an object's ACL if that client had the same name. The logic that retrieved actors based on names obeyed org constraints for clients, but looked at the global users list without consideration for whether or not the users were members of the organization. This has been corrected, so that the presence of a user anywhere in the system can no longer block a same-named client from being added to an object's ACL. 2. when an actor being added does not exist or is not in the organization, the request would fail with a 400 'missing/invalid actor' message. It would not give any indication of which actor(s) caused a problem. This has been corrected, and the error message now includes the list of actor(s) that could not be added. 3. when an actor being added exists as both an org client and a user, the same "400 missing/invalid actor" message would be sent. Occurrences of this will be reduced now that we restrict the search to users in the org, but can still occur if an org-user shares a name with a client. We have changed this to reply with "422 (Unprocessable Entity)". The error message explains that the actor name(s) are ambiguous and provides the list of names. Further updates will provide a means to The next round of updates will expand the acl API to accept and provide `clients` and `users` attributes. Using those attributes instead of `actors` when updating ACLs will give a workaround for the scenario described above (3) and will be the preferred method for updating ACLs via the API.
marcparadise
pushed a commit
that referenced
this issue
Aug 18, 2016
This addresses three long-standing issues: 1. when a user exists in the Chef Server, it was not possible to add a client to an object's ACL if that client had the same name. The logic that retrieved actors based on names obeyed org constraints for clients, but looked at the global users list without consideration for whether or not the users were members of the organization. This has been corrected, so that the presence of a user anywhere in the system can no longer block a same-named client from being added to an object's ACL. 2. when an actor being added does not exist or is not in the organization, the request would fail with a 400 'missing/invalid actor' message. It would not give any indication of which actor(s) caused a problem. This has been corrected, and the error message now includes the list of actor(s) that could not be added. 3. when an actor being added exists as both an org client and a user, the same "400 missing/invalid actor" message would be sent. Occurrences of this will be reduced now that we restrict the search to users in the org, but can still occur if an org-user shares a name with a client. We have changed this to reply with "422 (Unprocessable Entity)". The error message explains that the actor name(s) are ambiguous and provides the list of names. Further updates will provide a means to The next round of updates will expand the acl API to accept and provide `clients` and `users` attributes. Using those attributes instead of `actors` when updating ACLs will give a workaround for the scenario described above (3) and will be the preferred method for updating ACLs via the API.
marcparadise
pushed a commit
that referenced
this issue
Aug 18, 2016
This addresses three long-standing issues: 1. when a user exists in the Chef Server, it was not possible to add a client to an object's ACL if that client had the same name. The logic that retrieved actors based on names obeyed org constraints for clients, but looked at the global users list without consideration for whether or not the users were members of the organization. This has been corrected, so that the presence of a user anywhere in the system can no longer block a same-named client from being added to an object's ACL. 2. when an actor being added does not exist or is not in the organization, the request would fail with a 400 'missing/invalid actor' message. It would not give any indication of which actor(s) caused a problem. This has been corrected, and the error message now includes the list of actor(s) that could not be added. 3. when an actor being added exists as both an org client and a user, the same "400 missing/invalid actor" message would be sent. Occurrences of this will be reduced now that we restrict the search to users in the org, but can still occur if an org-user shares a name with a client. We have changed this to reply with "422 (Unprocessable Entity)". The error message explains that the actor name(s) are ambiguous and provides the list of names. Further updates will provide a means to The next round of updates will expand the acl API to accept and provide `clients` and `users` attributes. Using those attributes instead of `actors` when updating ACLs will give a workaround for the scenario described above (3) and will be the preferred method for updating ACLs via the API.
1 task
marcparadise
pushed a commit
that referenced
this issue
Aug 18, 2016
This addresses three long-standing issues: 1. when a user exists in the Chef Server, it was not possible to add a client to an object's ACL if that client had the same name. The logic that retrieved actors based on names obeyed org constraints for clients, but looked at the global users list without consideration for whether or not the users were members of the organization. This has been corrected, so that the presence of a user anywhere in the system can no longer block a same-named client from being added to an object's ACL. 2. when an actor being added does not exist or is not in the organization, the request would fail with a 400 'missing/invalid actor' message. It would not give any indication of which actor(s) caused a problem. This has been corrected, and the error message now includes the list of actor(s) that could not be added. 3. when an actor being added exists as both an org client and a user, the same "400 missing/invalid actor" message would be sent. Occurrences of this will be reduced now that we restrict the search to users in the org, but can still occur if an org-user shares a name with a client. We have changed this to reply with "422 (Unprocessable Entity)". The error message explains that the actor name(s) are ambiguous and provides the list of names. Further updates will provide a means to The next round of updates will expand the acl API to accept and provide `clients` and `users` attributes. Using those attributes instead of `actors` when updating ACLs will give a workaround for the scenario described above (3) and will be the preferred method for updating ACLs via the API.
marcparadise
pushed a commit
that referenced
this issue
Aug 19, 2016
* Fixed formatting in error message * Added eunit tests for oc_chef_authz_acl * Updates for code review comments. Signed-off-by: Marc Paradise <[email protected]>
marcparadise
pushed a commit
that referenced
this issue
Aug 22, 2016
This addresses three long-standing issues: 1. when a user exists in the Chef Server, it was not possible to add a client to an object's ACL if that client had the same name. The logic that retrieved actors based on names obeyed org constraints for clients, but looked at the global users list without consideration for whether or not the users were members of the organization. This has been corrected, so that the presence of a user anywhere in the system can no longer block a same-named client from being added to an object's ACL. 2. when an actor being added does not exist or is not in the organization, the request would fail with a 400 'missing/invalid actor' message. It would not give any indication of which actor(s) caused a problem. This has been corrected, and the error message now includes the list of actor(s) that could not be added. 3. when an actor being added exists as both an org client and a user, the same "400 missing/invalid actor" message would be sent. Occurrences of this will be reduced now that we restrict the search to users in the org, but can still occur if an org-user shares a name with a client. We have changed this to reply with "422 (Unprocessable Entity)". The error message explains that the actor name(s) are ambiguous and provides the list of names. The next round of updates will expand the acl API to accept and provide `clients` and `users` attributes. Using those attributes instead of `actors` when updating ACLs will give a workaround for the scenario described above (3) and will be the preferred method for updating ACLs via the API.
marcparadise
pushed a commit
that referenced
this issue
Aug 22, 2016
* Fixed formatting in error message * Added eunit tests for oc_chef_authz_acl * Updates for code review comments. Signed-off-by: Marc Paradise <[email protected]>
marcparadise
added a commit
that referenced
this issue
Aug 22, 2016
[SPOOL-197] [#111] clients can be added to ACL even if user exist
|
Resolved with changes from:
I'll close this issue once the last of those lands. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a user on the server (but not in an org) has the same name as a client in the org, you cannot add that client to the permissions of any object. It gives you back a 400 instead. I would expect it to add the permissions (assuming the user isn't also in the org and there is no ambiguity).
This affects chef-provisioning and any client (including the webui) that tries to add permissions to objects.
Detail
When I have:
And I do a
PUT /organizations/foo/nodes/barwith:{ "read": { "actors": [ "mario", "pivotal" ] } }I expect the request to succeed and
marioto havereadaccess tobar.Instead, I get this:
The text was updated successfully, but these errors were encountered: