New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check auth realm access on instance level #4488

Merged
merged 2 commits into from Jan 18, 2018

Conversation

Projects
None yet
2 participants
@kroepke
Member

kroepke commented Jan 17, 2018

These changes allow the UI to request information about the auth realms without requiring a global permission to do so.
Each realm is check individually, and a user without any access to them gets an empty set instead of a permission error.

This allows the UI to avoid special handling for users editing their own profile information.

Also include the new authentication permissions in the meta resource.

This requires backporting to 2.4 once reviewed.

fixes #4420
fixes #4442

kroepke added some commits Jan 17, 2018

filter authentication provider information by realm names
instead of requiring a global permission, apply the permission check to each
realm to be returned.
this makes it possible to assign more finely grained access, but more importantly
allows the call to succeed even if the user cannot see any realm configuration
in that case the set is merely empty, but it is not a permission violation

this allows users to edit their own profile again

fixes #4420

@kroepke kroepke added this to the 3.0.0 milestone Jan 17, 2018

@bernd

bernd approved these changes Jan 18, 2018

@bernd bernd merged commit 5a4376d into master Jan 18, 2018

5 checks passed

ci-web-linter Jenkins build graylog-pr-linter-check 2188 has succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
graylog-project/pr Jenkins build graylog-project-pr-snapshot 908 has succeeded
Details
license/cla Contributor License Agreement is signed.
Details

@wafflebot wafflebot bot removed the ready-for-review label Jan 18, 2018

@bernd bernd deleted the auth-permissions branch Jan 18, 2018

bernd added a commit that referenced this pull request Jan 18, 2018

Check auth realm access on instance level (#4488)
* include authentication permissions in meta resource

fixes #4442

* filter authentication provider information by realm names

instead of requiring a global permission, apply the permission check to each
realm to be returned.
this makes it possible to assign more finely grained access, but more importantly
allows the call to succeed even if the user cannot see any realm configuration
in that case the set is merely empty, but it is not a permission violation

this allows users to edit their own profile again

fixes #4420

(cherry picked from commit 5a4376d)

kroepke added a commit that referenced this pull request Jan 19, 2018

Check auth realm access on instance level (#4488) (#4494)
* include authentication permissions in meta resource

fixes #4442

* filter authentication provider information by realm names

instead of requiring a global permission, apply the permission check to each
realm to be returned.
this makes it possible to assign more finely grained access, but more importantly
allows the call to succeed even if the user cannot see any realm configuration
in that case the set is merely empty, but it is not a permission violation

this allows users to edit their own profile again

fixes #4420

(cherry picked from commit 5a4376d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment