New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2.0a4 User with correct permissions not allowed to view stream #1887

Closed
SjonHortensius opened this Issue Mar 3, 2016 · 6 comments

Comments

Projects
None yet
2 participants
@SjonHortensius

SjonHortensius commented Mar 3, 2016

I have created a user with a Reader role and a proper role to view a few streams. This user can list the stream(names), but clicking a stream logs the user out immediately. The backend then says

INFO : org.graylog2.shared.security.ShiroAuthorizationFilter - User org.apache.shiro.subject.support.DelegatingSubject@47f819e9not authorized.
org.apache.shiro.authz.UnauthorizedException: Subject does not have permission [clusterconfigentry:read]
at org.apache.shiro.authz.ModularRealmAuthorizer.checkPermission(ModularRealmAuthorizer.java:323) ~[server.jar:?]
at org.apache.shiro.mgt.AuthorizingSecurityManager.checkPermission(AuthorizingSecurityManager.java:137) ~[server.jar:?]
at org.apache.shiro.subject.support.DelegatingSubject.checkPermission(DelegatingSubject.java:205) ~[server.jar:?]
at org.apache.shiro.authz.aop.PermissionAnnotationHandler.assertAuthorized(PermissionAnnotationHandler.java:74) ~[server.jar:?]
at org.graylog2.shared.security.ShiroAuthorizationFilter.filter(ShiroAuthorizationFilter.java:51) [server.jar:?]
at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:132) [server.jar:?]
at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:68) [server.jar:?]
at org.glassfish.jersey.process.internal.Stages.process(Stages.java:197) [server.jar:?]
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:318) [server.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [server.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [server.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [server.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [server.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [server.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [server.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [server.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [server.jar:?]
at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [server.jar:?]
at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [server.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [server.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_74]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_74]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_74]
2016-03-03 11:49:37,872 ERROR: org.graylog2.shared.rest.exceptionmappers.AnyExceptionClassMapper - Unhandled exception in REST resource
org.apache.shiro.session.UnknownSessionException: There is no session with id [8a80a184-d5cd-4ea8-9675-c9e226fff76b]
at org.apache.shiro.session.mgt.eis.AbstractSessionDAO.readSession(AbstractSessionDAO.java:170) ~[server.jar:?]
at org.apache.shiro.session.mgt.eis.CachingSessionDAO.readSession(CachingSessionDAO.java:261) ~[server.jar:?]
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSessionFromDataSource(DefaultSessionManager.java:236) ~[server.jar:?]
at org.apache.shiro.session.mgt.DefaultSessionManager.retrieveSession(DefaultSessionManager.java:222) ~[server.jar:?]
at org.apache.shiro.session.mgt.AbstractValidatingSessionManager.doGetSession(AbstractValidatingSessionManager.java:118) ~[server.jar:?]
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupSession(AbstractNativeSessionManager.java:108) ~[server.jar:?]
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.lookupRequiredSession(AbstractNativeSessionManager.java:112) ~[server.jar:?]
at org.apache.shiro.session.mgt.AbstractNativeSessionManager.getAttribute(AbstractNativeSessionManager.java:209) ~[server.jar:?]
at org.apache.shiro.session.mgt.DelegatingSession.getAttribute(DelegatingSession.java:141) ~[server.jar:?]
at org.apache.shiro.session.ProxiedSession.getAttribute(ProxiedSession.java:121) ~[server.jar:?]
at org.apache.shiro.subject.support.DelegatingSubject.getRunAsPrincipalsStack(DelegatingSubject.java:469) ~[server.jar:?]
at org.apache.shiro.subject.support.DelegatingSubject.getPrincipals(DelegatingSubject.java:153) ~[server.jar:?]
at org.apache.shiro.subject.support.DelegatingSubject.hasPrincipals(DelegatingSubject.java:126) ~[server.jar:?]
at org.apache.shiro.subject.support.DelegatingSubject.isPermitted(DelegatingSubject.java:158) ~[server.jar:?]
at org.graylog2.shared.rest.resources.RestResource.isPermitted(RestResource.java:96) ~[server.jar:?]
at org.graylog2.shared.rest.resources.RestResource.checkPermission(RestResource.java:110) ~[server.jar:?]
at org.graylog2.rest.resources.streams.StreamResource.get(StreamResource.java:185) ~[server.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_74]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_74]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_74]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_74]
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) ~[server.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144) ~[server.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161) ~[server.jar:?]
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:205) ~[server.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99) ~[server.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389) ~[server.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347) ~[server.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102) ~[server.jar:?]
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326) [server.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [server.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [server.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [server.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [server.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [server.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [server.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [server.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [server.jar:?]
at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [server.jar:?]
at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [server.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [server.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_74]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_74]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_74]

@kroepke kroepke added bug S1 P2 labels Mar 4, 2016

@kroepke kroepke added this to the 2.0.0 milestone Mar 4, 2016

@kroepke

This comment has been minimized.

Member

kroepke commented Mar 4, 2016

The newly added permissions need to be added to the built-in roles.
See

protected static final Set<String> READER_BASE_PERMISSION_SELECTION = ImmutableSet.<String>builder().add(

@SjonHortensius

This comment has been minimized.

SjonHortensius commented Mar 4, 2016

Is there a work-around for this? I'm now assigning Admin roles to my users to work around this :)

@kroepke

This comment has been minimized.

Member

kroepke commented Mar 4, 2016

You could manually (via the API) create a role that grants the clusterconfigentry:read permission and assign that role to the users, yes.
Or wait until the next alpha which will have the fix ;)

@SjonHortensius

This comment has been minimized.

SjonHortensius commented Mar 4, 2016

If you also add fieldnames:read, that does indeed work

@kroepke kroepke self-assigned this Mar 4, 2016

kroepke added a commit that referenced this issue Mar 4, 2016

Reader base permissions must now include clusterconfigentry:read to b…
…e able to retrieve the settings for the relative time dropdown.

fix #1887
@kroepke

This comment has been minimized.

Member

kroepke commented Mar 4, 2016

The fieldnames:read is already part of the base permissions for reader users and should not need to be added (it worked with that in my tests). Did you modify the reader role in the database?

@bernd bernd closed this in #1902 Mar 4, 2016

@SjonHortensius

This comment has been minimized.

SjonHortensius commented Mar 4, 2016

I did not modify the Reader role, but this install started as a 0.x install, maybe some sort of upgrade issue? Unless I added it, it didn't work

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment