Restrict permissions for adding scopes or manipulating identities #6267
Assignees
Labels
Milestone
Comments
dchristidis
added
bug
Authentication & Authorisation
backport
|
We are now using a policy package, but it probably has these issue. @dynamic-entropy want to take a look? |
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Jul 21, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges.
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Jul 21, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges.
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Jul 21, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges.
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Jul 24, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges.
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Jul 24, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges. Some test needed to be adapted to the changes.
bari12
pushed a commit
that referenced
this issue
Jul 25, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges. Some test needed to be adapted to the changes.
|
Backport 1.29.14 |
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Jul 25, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges. Some test needed to be adapted to the changes.
dchristidis
added a commit
to dchristidis/rucio
that referenced
this issue
Jul 25, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges. Some test needed to be adapted to the changes.
bari12
pushed a commit
that referenced
this issue
Jul 31, 2023
This affects the following: * Adding new scopes (perm_add_scope) * Adding new identities (perm_add_account_identity) * Deleting existing identities (perm_del_account_identity) Previously, they were unrestricted (for the latter two, they could only affect one's own account). Instead, they will now require administrative privileges. Some test needed to be adapted to the changes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
It has come to our attention that some permissions are not restrictive enough. Specifically:
perm_add_scope)perm_add_account_identity)perm_del_account_identity)For the latter two, they can only affect one’s own account, but it should probably be restricted nonetheless.
Steps to reproduce
The snippet below, run as user
jdoe, does not raise an error:$ rucio-admin scopes add --account jdoe --scope covfefeRucio Version
No response
Additional Information
Affected policies are:
atlas.pycms.pyescape.pygeneric.pygeneric_multi_vo.pyWe’ll certainly change it for ATLAS and the generic policies. @ericvaandering and @egazzarr, thoughts for CMS and ESCAPE respectively?
The text was updated successfully, but these errors were encountered: