Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nacos permission Bug #4262

Closed
309283175 opened this issue Nov 19, 2020 · 14 comments
Closed

Nacos permission Bug #4262

309283175 opened this issue Nov 19, 2020 · 14 comments
Labels
status/duplicate This issue or pull request already exists

Comments

@309283175
Copy link

309283175 commented Nov 19, 2020

turn on auth system, create new role ROLE_TEST,then add public resource to ROLE_TEST with rw,the data in table permissions is:

role	       resource	action
ROLE_TEST	:*:*	rw

com.alibaba.nacos.console.security.nacos.roles.NacosRoleServiceImpl.hasPermission()

 String permissionResource = permissionInfo.getResource().replaceAll("\\*", ".*");
 String permissionAction = permissionInfo.getAction();
  if (permissionAction.contains(permission.getAction()) &&
       Pattern.matches(permissionResource, permission.getResource())) {
        return true;
 }

if i use spring.cloud.nacos.username=test register my service to nacos with public namespace,my resource is "public:DEFAULT_GROUP:naming/my-service",but the parttern is :.*:.* , Pattern.matches(permissionResource, permission.getResource()) shoud be true but false

com.alibaba.nacos.api.exception.NacosException: failed to req API:/nacos/v1/ns/instance after all servers([x.x.x.x:8848]) tried: ErrCode:403, ErrMsg: authorization failed!

@horizonzy
Copy link
Collaborator

horizonzy commented Nov 19, 2020

Hi, did you bind user test with role ROLE_TEST.

@309283175
Copy link
Author

309283175 commented Nov 19, 2020

@horizonzy of course i bind user test with role ROLE_TEST.

@309283175
Copy link
Author

309283175 commented Nov 19, 2020

@horizonzy ,As i mentioned above ,this bug only appear with user not have ROLE_ADMIN and want register to public namespace.

@horizonzy
Copy link
Collaborator

horizonzy commented Nov 19, 2020

I will have a try to reproduce it.

@binbin0325 binbin0325 added contribution welcome kind/bug Category issues or prs related to bug. labels Nov 19, 2020
@binbin0325
Copy link
Collaborator

binbin0325 commented Nov 19, 2020

when public resource permissions are set, the permissionResource should be public:.*:.*

@309283175
Copy link
Author

309283175 commented Nov 19, 2020

@sanxun0325 I have tried to modify the resource record of the database :*:* to public:*:* directly. The service registration is successful. but it has caused another problem when I log in to the console with the test user and select the public namespace, a warning of no permission will appear。

@binbin0325
Copy link
Collaborator

binbin0325 commented Nov 19, 2020

@sanxun0325 I have tried to modify the resource record of the database :*:* to public:*:* directly. The service registration is successful. but it has caused another problem when I log in to the console with the test user and select the public namespace, a warning of no permission will appear。

nacos server version can be tried with 1.4.0, which fixes the console problem

@309283175
Copy link
Author

309283175 commented Nov 19, 2020

@sanxun0325 I have tried to modify the resource record of the database :*:* to public:*:* directly. The service registration is successful. but it has caused another problem when I log in to the console with the test user and select the public namespace, a warning of no permission will appear。

nacos server version can be tried with 1.4.0, which fixes the console problem

ok,I will try it again with 1.4.0

@horizonzy
Copy link
Collaborator

horizonzy commented Nov 19, 2020

when public resource permissions are set, the permissionResource should be public:.*:.*

maybe this situation need more thought. If config module, if publishConfig without namespace, it will cause problem.

@binbin0325
Copy link
Collaborator

binbin0325 commented Nov 19, 2020

when public resource permissions are set, the permissionResource should be public:.*:.*

maybe this situation need more thought. If config module, if publishConfig without namespace, it will cause problem.

Yes, more testing is needed

@309283175
Copy link
Author

309283175 commented Nov 19, 2020

when public resource permissions are set, the permissionResource should be public:.*:.*

maybe this situation need more thought. If config module, if publishConfig without namespace, it will cause problem.

@horizonzy @sanxun0325 That's right ,I have retry this scene with 1.4.0,and the problem remains.

@309283175
Copy link
Author

309283175 commented Nov 19, 2020

Since the public namespace resources stored in the table permissions in the existing database are :*:* , I think we only need to parse the public namespace prefix to a blank string when registering the service. And the Console not need to do anything.
AT com.alibaba.nacos.naming.web.NamingResourceParser.parseName(Object request)
before:
if (StringUtils.isNotBlank(namespaceId)) { sb.append(namespaceId); }
after
if (StringUtils.isNotBlank(namespaceId) && !"public".equals(namespaceId)) { sb.append(namespaceId); }

Similarly, the configuration center is handled in the same way.
AT com.alibaba.nacos.config.server.auth.ConfigResourceParser.parseName(Object request)

I have tested and verified that this problem has been resolved in my local environment.

@horizonzy
Copy link
Collaborator

horizonzy commented Nov 19, 2020

I think we should compatible it in ResourceParser, if the namespace value is 'public', replace it by '';

@KomachiSion
Copy link
Collaborator

KomachiSion commented Nov 19, 2020

maybe duplicate with #3524

KomachiSion pushed a commit that referenced this issue Nov 20, 2020
* fix public namespace permission problem

* move NamespaceUtilTest to common module
@KomachiSion KomachiSion added status/duplicate This issue or pull request already exists and removed contribution welcome kind/bug Category issues or prs related to bug. labels Nov 23, 2020
KomachiSion added a commit that referenced this issue Dec 3, 2020
* [ISSUE-#4262] Fix public namespace permission problem (#4273)

* fix public namespace permission problem

* move NamespaceUtilTest to common module

* [ISSUE-#4232] Use EnvUtil to replace ApplicationUtils about env operation (#4281)

* use EnvUtil to replace ApplicationUtils about env operation

* remove unuse import

* remove unuse import

* remove profile usage

* [ISSUE-#4294] Use EnvUtils.setEnvironment to replace ApplicationUtils.injectEnvironment (#4295)

* use EnvUtils.setEnvironment to replace ApplicationUtils.injectEnvironment.

* remove unuseful import

* remove unuseful import

* refactor: refactor issue #4291 (#4292)

* remove env operation code in ApplicationUtils (#4298)

* refactor issue #4275 (#4299)

* when auth open, use resource parser cache, not use reflect newInstance every time. (#4287)

* [ISSUE-#4256] Just inject environment in StartingSpringApplicationRunListener (#4257)

* just inject environment in StartingSpringApplicationRunListener

* make nacosStartingListener is decoupling with springApplicationRunListener.

* add api doc

* refactor. transfer nacos listeners to SpringApplicationRunListener.

* remove unuseful import

* add doc info

* [ISSUE #4311] Fix Derby data source related SQL LIMIT exception (#4313)

* for #4311,Fixed Derby data source related SQL LIMIT exception.

* fix code style.

* code format.

* [ISSUE-#4310] Delete the main function only for testing (#4312)

* [ISSUE #4320] Fixing the Naming consistency module could not start in cluster mode (#4321)

* refactor: refactor issue #4291

* fix: fixing the Naming consistency module could not start in cluster mode

* fix service list can not search by groupName only (#4308)

* fix service list can not search by groupName only

* fix service list can not search by groupName only

* fix checkStyle

* add ut for NamingUtils

* [ISSUE-#4258]  Fix wrong path when -Dspring.config.location not set (#4259)

* fix spring.config.location is nullapplication.properties when -Dspring.config.location is not set in env

* fix wrong path when -Dspring.config.location not set

* modify default file resource method name

* fix "/" magic value

* change the way of get file

* not judge pathSplit by self, use Paths.get(a, b);

* when spring.config.location is not set, use {nacos.home}/conf/application.properties to cover it.

* refactor code

* code quality enhance

* just use two level to load conf. {spring.config.location}/application.properties -> classpath:/application.properties

* code clean

* Upgrade jraft to 1.3.5 (#4339)

* 升级jraft到1.3.5以支持IPv6, 调整 NamingUtilsTest 代码格式以解决checkstyle问题

* 删除测试类的类注释

* [ISSUE-#4342] Fix nacos.core.protocol.raft.data.read_index_type isn't effect (#4343)

* fix nacos.core.protocol.raft.data.read_index_type=ReadOnlyLeaseBased isn't effect and enhance log hint

* define ReadOnlyOption param name just by self

* [ISSUE-#4333]Add MapRowMapper to RowMapperManager (#4334)

* for #4311,Fixed Derby data source related SQL LIMIT exception.

* Revert "for #4311,Fixed Derby data source related SQL LIMIT exception."

This reverts commit 49188f1

* fix #4333.

* Remove case conversion.

* [ISSUE-#4181]  Normalize ContextPath value in client-side (#4326)

* [ISSUE-#4181] Just use ContextPathUtil normalize ContextPath value

* [ISSUE-#4181] add some test cases

* fix styles at the button '新建命名空间' (#4362)

* [ISSUE-#4346] Fix import code (#4347)

* remove import.*

* transfer first_pre to final static variable

* use NamingBase.Xxx to replace constant

* reuse cliClientService (#4375)

* Sync code from upstream/develop

Co-authored-by: 赵延 <1060026287@qq.com>
Co-authored-by: liaochuntao <liaochuntao@live.com>
Co-authored-by: zhuhao <yczhuhaogg@gmail.com>
Co-authored-by: mai.jh <maijh97@gmail.com>
Co-authored-by: 孙继峰 <sun.jifeng@outlook.com>
Co-authored-by: Mark4z <36187602+mark4z@users.noreply.github.com>
Co-authored-by: 邪影oO <213539@qq.com>
Co-authored-by: Gagharv <wwfortunate@gmail.com>
Co-authored-by: iochenlei <iochenlei@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status/duplicate This issue or pull request already exists
Projects
None yet
Development

No branches or pull requests

4 participants