non-admins unable to browse volumes created by stacks

[bjo81]

Bug description
Non-Admins are unable to browse their volumes though Enable volume management for non-administrators is enabled.

Expected behavior
Users / Teams can access and browse the volumes of their stacks

Portainer Logs
Unfortunately the last log entry is from yesterday, so it seems nothing related is logged.

Steps to reproduce the issue:

1. Set Enable volume management for non-administrators to enabled.
2. Login as a user
3. Access a volume the user should have access to
4. Click on Browse
5. "Unable to browse volume"
6. Access with the admin user works.

Technical details:

• Portainer version: 2.1.1
• Docker version (managed by Portainer): 20.10.3, build 48d30b5
• Platform (windows/linux): Linux
• Command used to start Portainer (docker run -p 9000:9000 portainer/portainer): docker stack deploy --compose-file=portainer-agent-stack.yml portainer
• Browser: Firefox 86.0 (64-Bit) on Ubuntu 20.10
• Use Case (delete as appropriate): Using Portainer in a Commerical setup.
• Have you reviewed our technical documentation and knowledge base? Yes

[PortainerSupport]

Ticket update by Bala Natarajan (bala.Natarajan@portainer.io)

Hi

Thanks for raising this, i think its similar to this issue
#4851

[bjo81]

@PortainerSupport Thanks for the hint. I don't know if it's completely similar as in #4851. In my case, the permissions are not reset to admins like in #4851, according to the permissions everything is fine:

[PortainerSupport]

Ticket update by Bala Natarajan (bala.Natarajan@portainer.io)

Hi

Thanks, . I believe its a single host docker deployment .

1.pl make sure an agent runs on 9001 port

2.from the UI ,in endpoints section , access the agent endpoint and click
manage access, pl give non admin user permission

3.also while creating volume, pl make sure restricted access is chosen and non
admin is added to it

[balasu]

endpoint manageaccess

volumesettings

user login

[bjo81]

Hi,

Thanks, . I believe its a single host docker deployment .

No, it's a Docker Swam Deployment.

1.pl make sure an agent runs on 9001 port

Sure it does.

2.from the UI ,in endpoints section , access the agent endpoint and click
manage access, pl give non admin user permission

The non-admin-users have access to the endpoints.

3.also while creating volume, pl make sure restricted access is chosen and non
admin is added to it

The volumes are automatically created by the stack and inherited the permissions.

[balasu]

Hi the endpoint shld have this access. below is an example where demo is the team and user joe is part of it. pl share the stack

[bjo81]

Sure, the teams have access to the endpoint and the stack. The users can manage services / containers in the stack.

Here we have the stack:

Here we have the volume from the stack:

testuser is part of the team:

testuser can access the endpoint and the stack:

testuser can also see the volumes:

But testuser cannot browse them:

[balasu]

please check and confirm by clicking on endpoint, click on the primary agent manage access,

from joe user

[bjo81]

At the endpoint the team has access:

From testuser:

[PortainerSupport]

Ticket update by Bala Natarajan (bala.Natarajan@portainer.io)

Hi

please try out on incognito mode and different browsers once. pl share
portainer logs .

[bjo81]

No luck with incognito mode on Firefox and Chromium.

Logs:

2021/03/23 11:07:41 http error: Invalid JWT token (err=Invalid JWT token) (code=401)
2021/03/23 11:07:41 http error: Invalid JWT token (err=Invalid JWT token) (code=401)
2021/03/23 11:07:41 http error: Invalid JWT token (err=Invalid JWT token) (code=401)
2021/03/23 11:07:41 http error: Invalid JWT token (err=Invalid JWT token) (code=401)
2021/03/23 11:07:41 http error: Invalid JWT token (err=Invalid JWT token) (code=401)
2021/03/23 11:07:41 http error: Invalid JWT token (err=Invalid JWT token) (code=401)
2021/03/23 11:09:44 http: proxy error: Error: No such volume: mi<redacted>_dev2_content2021-03-18T12:41:01+01:00
2021/03/23 11:10:19 http error: Invalid credentials (err=Unauthorized) (code=422)
2021/03/23 11:10:22 http error: Invalid credentials (err=Unauthorized) (code=422)
2021/03/23 11:10:32 http: proxy error: Error: No such volume: mi<redacted>_dev2_content2021-03-18T12:41:01+01:00

[balasu]

Hi Looks like same #4851. I created a nginx service from admin user and mount the test volume tht has restricted access, it doesn't show up the data for joe user when login,

before mounting the volume to the service , permission column had restricted and after mounting the volume it turned to administrator

[bjo81]

@balasu
No, it's not the same. The restriction is not reset to administrators and as you see in the screenshot, testuser can still see the volume.

According to the logs, the issue is that portainer attaches a timestamp to the volume name.

[PortainerSupport]

Ticket update by Bala Natarajan (bala.Natarajan@portainer.io)

Hi

kindly share the stack/service yaml of ur system will try to reproduce

[bjo81]

registry.domain.tld is an internal registry.

version: "3.7"
services:
  apache:
    image: registry.domain.tld/yxz/yxz/apache-swarm-dev:latest
    depends_on:
      - php
      - mysql
    networks:
      - frontend
      - backend
    ports:
      - target: 80
        published: 8280
        protocol: tcp
        mode: host
    labels:
      restic-compose-backup.volumes: 1
    volumes:
     - content:/var/www/html/public/content
     - var:/var/www/html/var
    deploy:
      placement: 
        constraints: [node.hostname!=portainer]
  ionic:
    image: registry.domain.tld/yxz/yxz/ionic-dev
    networks:
      - frontend
    ports:
      - target: 80
        published: 8281
        protocol: tcp
        mode: host
    deploy:
      placement: 
        constraints: [node.hostname!=portainer]
  mysql:
    image: mysql:5.6.40
    ports:
      - "3308:3306"
    networks:
      - backend
    environment:
      - MYSQL_ROOT_PASSWORD=yxz
      - MYSQL_USER=backup
      - MYSQL_PASSWORD=xyz
    volumes:
     - mysql:/var/lib/mysql
    labels:
      restic-compose-backup.mysql: 1
    deploy:
      placement: 
        constraints: [node.hostname!=portainer]
networks:
  frontend:
  backend:
volumes:
  docroot:
  frontend:
  cache:
  mysql:
  content:
  var:

[PortainerSupport]

Ticket update by Bala Natarajan (bala.Natarajan@portainer.io)

Hi

looks like a bug

After stack is created and assigned restricted access, non-admin user Getting
this error failure unable to browse volume.

[balasu]