Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nacos.core.auth.enabled=true then failed to change self's password #3406

Closed
lucianlv opened this issue Jul 21, 2020 · 4 comments
Closed

nacos.core.auth.enabled=true then failed to change self's password #3406

lucianlv opened this issue Jul 21, 2020 · 4 comments

Comments

@lucianlv
Copy link

@lucianlv lucianlv commented Jul 21, 2020

image

nacos version: 1.3.1

@sanxun0325
Copy link
Collaborator

@sanxun0325 sanxun0325 commented Jul 23, 2020

@i will solve it@

Loading

@sanxun0325
Copy link
Collaborator

@sanxun0325 sanxun0325 commented Jul 30, 2020

@lucianlv I have tried many times but could not repeat this problem. If it is convenient, please add dingidng to communicate
dingding:wg46mjc

Loading

@xiaozhongliu
Copy link

@xiaozhongliu xiaozhongliu commented Aug 6, 2020

I have the same issue. Any progress to share?
#3534

Loading

@ljhrot
Copy link
Contributor

@ljhrot ljhrot commented Aug 8, 2020

开启鉴权 nacos.core.auth.enabled=true 然后创建新的账号并使用这个账号进行修改密码的操作就可以复现这个 bug 了。

目前我看到会能复现这个 bug 的两种情况:

  1. 没有分配任何角色给新用户
    NacosRoleServiceImpl 首先会拦截所有没有角色的用户。
    public boolean hasPermission(String username, Permission permission) {
        
        List<RoleInfo> roleInfoList = getRoles(username);
        if (Collections.isEmpty(roleInfoList)) {
            return false;
        }
    ...
  1. 新用户绑定了角色
    NacosRoleServiceImpl 这里的判断也会拦截 console/开头的资源,而修改的密码的资源是 console/users
        // Old global admin can pass resource 'console/':
        if (permission.getResource().startsWith(NacosAuthConfig.CONSOLE_RESOURCE_NAME_PREFIX)) {
            return false;
        }

PS: 有判断限制不能给新用户绑定 ROLE_ADMIN 角色


我关于修复这个 bug 的想法:

创建用户默认管理角色,可以是 USER_AMDIN 的角色,这个角色有访问 console/users 资源路径的权限,然后放开这个资源路径的拦截。但是这个只能是暂时修复这个问题,这样会导致 UserController 的所有接口都可以被非 nacos 账号访问到,有种 Bad Smell 的解决版版本,所以不是很推荐。

这个问题跟目前的权限控制功能实现有很大的关系,前端定义的资源更多的是 namespace 的概念,但是从后台来看提供的接口都是资源的概念。当前做到的权限校验做不到 HTTP Method 粒度的校验,如果要满足很多 ISSUE 对权限控制的需求,需要作出很大的改动。

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants