-
Notifications
You must be signed in to change notification settings - Fork 844
GET /api/latest/fleet/queries/run incorrectly returns 200 for non-authorized users (queries do not run though) #11446
Copy link
Copy link
Closed
Labels
#g-endpoint-opsEndpoint ops product groupEndpoint ops product group:releaseReady to write code. Scheduled in a release. See "Making changes" in handbook.Ready to write code. Scheduled in a release. See "Making changes" in handbook.bugSomething isn't working as documentedSomething isn't working as documented~backendBackend-related issue.Backend-related issue.~live-queryRelated to live querying with Fleet -- either in the UI, or via fleetctl, or via the REST APIRelated to live querying with Fleet -- either in the UI, or via fleetctl, or via the REST API~query consoleRelated to the query console (composing/targeting/running queries)Related to the query console (composing/targeting/running queries)~released bugThis bug was found in a stable release.This bug was found in a stable release.
Milestone
Metadata
Metadata
Assignees
Labels
#g-endpoint-opsEndpoint ops product groupEndpoint ops product group:releaseReady to write code. Scheduled in a release. See "Making changes" in handbook.Ready to write code. Scheduled in a release. See "Making changes" in handbook.bugSomething isn't working as documentedSomething isn't working as documented~backendBackend-related issue.Backend-related issue.~live-queryRelated to live querying with Fleet -- either in the UI, or via fleetctl, or via the REST APIRelated to live querying with Fleet -- either in the UI, or via fleetctl, or via the REST API~query consoleRelated to the query console (composing/targeting/running queries)Related to the query console (composing/targeting/running queries)~released bugThis bug was found in a stable release.This bug was found in a stable release.
Fleet version: main 68f2aef (4.31.0)
As a fleetctl user not authorized to run a live query I run it via the synchronous API (
GET /api/latest/fleet/queries/run).(e.g. an observer attempting to run a non-observer_can_run query, or a gitops attempting to run any query)
🧑💻 Expected behavior
User gets a "forbidden" HTTP 403.
💥 Actual behavior
The query does not run as expected, but the user gets a HTTP 200.
👣 Reproduction steps
Where
TEST_TOKENis a token for a user that is not authorized to run query with id2in host with id1.