Rundeck: Key Storage UI Does Not Honor Storage ACL Policy
Describe the bug
When specifying a storage acl policy that uses match and/or equals, storage key paths are no longer displayed in the UI.
My Rundeck detail
- Rundeck version: 3.0.21-20190424
- install type: deb
- OS Name/version: Ubuntu 18.04
- DB Type/version: H2
To Reproduce
Steps to reproduce the behavior:
- As an admin, add a couple of keys (i.e. keys/test1/test1.pem, keys/test2/test2.pem)
- Create a non admin user and an acl policy for that user with read only access to one of the folders.
description: rduser, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- allow: 'read' # allow read/create/update/delete for all /keys/* storage content
equals:
path: 'keys/test1'
- allow: 'read' # allow read/create/update/delete for all /keys/* storage content
match:
path: 'keys/test1/.*'
by:
group: teststorage
- Login to rundeck as the non admin user
- Go to System > Key Storage
- See that test1 is no longer listed.
Expected behavior
The key storage UI should display any keys and folders that the user has permissions for and allow them to navigate them.
Desktop (please complete the following information):
- OS: macOS Mojave 10.14.3
- Browser Chrome
- Version 74.0.3729.131
Additional context
This bug doesn't affect access to the keys, both during job execution and in the UI. If I specify the path in the browser (i.e. http://localhost:4440/menu/storage/keys/test1/). I can still view the keys if I enter test1 in the input field located on the System > Key Storage page while at the same time I'm blocked for any folder and keys I don't have permission to.
Note: When I specify an equals or a match condition for a storage aclpolicy, it also appears to break default key selection in the project configuration.
dutchrapley
All 4 comments
Hi Dutch,
I ran some test with your very example just change some few things, try it in this way
description: testuser, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- equals:
path: 'keys'
allow: [read]
- match:
path: 'keys/prueba2' # allow to view only the prueba2 keys in the path (prueba2)
allow: [read]
- equals:
path: 'keys/prueba2/prueba2'
allow: [read]
by:
group: user
I created a key called prueba3 on the same path and the testuser is only able to view prueba2.
elioe
on 8 Sep 2019
Occur on 3.2.5 too. I followed this:
https://docs.rundeck.com/docs/administration/security/key-storage.html#examples
My ACL (doesn't work.):
description: rduser, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*'
project:
- allow: '*'
project_acl:
- allow: '*'
storage:
- equals:
path: 'keys'
allow: [read]
- match:
path: 'keys/something'
allow: [read]
- equals:
path: 'keys/something/.*'
allow: [read]
by:
group: user
@elioe 's way works in my case (referencing the key directly):
description: rduser, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*'
project:
- allow: '*'
project_acl:
- allow: '*'
storage:
- equals:
path: 'keys'
allow: [read]
- match:
path: 'keys/something'
allow: [read]
- equals:
path: 'keys/something/password1'
allow: [read]
by:
group: user
maybe I'm forgetting something?
MegaDrive68k
on 18 Apr 2020
@MegaDrive68k replacing "equals" with "match" seems to do the wild-card trick:
Before:
- equals:
path: 'keys/something/.*'
allow: [read]
After:
- match:
path: 'keys/something/.*'
allow: [read]
runwaldo
on 24 Apr 2020
Thanks @runwaldo !
MegaDrive68k
on 24 Apr 2020
Related issues
manojfim
路
3Comments
geraldh
路
5Comments
Thylossus
路
3Comments
greg0ire
路
3Comments
snifbr
路
5Comments
Most helpful comment
@MegaDrive68k replacing "equals" with "match" seems to do the wild-card trick:
Before:
After: