-
Notifications
You must be signed in to change notification settings - Fork 307
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict permissions for adding scopes or manipulating identities #6267
Labels
Milestone
Comments
We are now using a policy package, but it probably has these issue. @dynamic-entropy want to take a look? |
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Jul 21, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges.
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Jul 21, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges.
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Jul 21, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges.
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Jul 24, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges.
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Jul 24, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges. Some test needed to be adapted to the changes.
bari12
pushed a commit
that referenced
this issue
Jul 25, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges. Some test needed to be adapted to the changes.
Backport 1.29.14 |
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Jul 25, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges. Some test needed to be adapted to the changes.
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Jul 25, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges. Some test needed to be adapted to the changes.
bari12
pushed a commit
that referenced
this issue
Jul 31, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges. Some test needed to be adapted to the changes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Description
It has come to our attention that some permissions are not restrictive enough. Specifically:
perm_add_scope
)perm_add_account_identity
)perm_del_account_identity
)For the latter two, they can only affect one’s own account, but it should probably be restricted nonetheless.
Steps to reproduce
The snippet below, run as user
jdoe
, does not raise an error:$ rucio-admin scopes add --account jdoe --scope covfefe
Rucio Version
No response
Additional Information
Affected policies are:
atlas.py
cms.py
escape.py
generic.py
generic_multi_vo.py
We’ll certainly change it for ATLAS and the generic policies. @ericvaandering and @egazzarr, thoughts for CMS and ESCAPE respectively?
The text was updated successfully, but these errors were encountered: