Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

[RBAC] A user that is not added in the rbac config (not having permissions) can access certain information on Everest

Description

STRs:
1. Install Everest 1.1.1
2. Create a user - ex: testuser - no need to login using this user in Everest 1.1.1
3. Create DB clusters
4. Upgrade to Everest 1.2.0
5. Open the db overview page for any or all dbs in other tabs + edit db page + create db page
6. Logout
7. Login using the testuser

Outcome:
1. DB overview page only hides information about monitoring endpoint, backups, host username + password. Everything else is visible to the user.
2. Create db cluster + Edit page also give information about the db cluster.

Extra:
v1/resources endpoint is visible to any user.

Environment

None

Attachments

3

Activity

Show:

Diogo Recharte November 8, 2024 at 3:26 PM
Edited

I believe that Yusaf had that tab open while he had permissions, then he removed permissions but the tab stayed the same, i.e. it shows the same info as before changing the permissions. I believe that Yusaf expected something to happen to the tab if the user lost permissions to view that content, like navigating to the home screen or something.

which policy should we require to read components? read database-clusters?

Yes, components aren’t separated from the DB clusters so that’s the permission you need.

Fábio Da Silva November 8, 2024 at 3:21 PM

I don’t quite understand the video from Oct. 31st:

  • When you don’t have permissions to create clusters, you should not see the button to create them. How did you end up in the wizard in one of those tabs?

  • Is the user in the wizard the same that logged in?

 

Also, , which policy should we require to read components? read database-clusters?

Yusaf Awan October 31, 2024 at 12:46 PM

As discussed, let's move this bug to 1.4.0 (in progress) so that the refresh issue can be fixed and tested Thanks

Yusaf Awan October 31, 2024 at 8:33 AM

This is still reproducible until we refresh the page. I remember we discussed clearing cache and page refresh. Did we finalize something about this?

Yusaf Awan October 1, 2024 at 10:16 AM

As discussed, we need to move this ticket to the next release as well because this is part of that FE caching issue.

Unresolved

Details

Assignee

Reporter

Fix versions

Priority

Smart Checklist

Created September 3, 2024 at 12:06 PM
Updated January 8, 2025 at 4:58 PM