Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Authz: UI is unusable without granting read rights to default namespace #3688

Closed
1 task done
andi4000 opened this issue Dec 6, 2024 · 0 comments · Fixed by #3692
Closed
1 task done

[Bug]: Authz: UI is unusable without granting read rights to default namespace #3688

andi4000 opened this issue Dec 6, 2024 · 0 comments · Fixed by #3692
Labels
bug

Comments

@andi4000
Copy link

andi4000 commented Dec 6, 2024
edited
Loading

Bug Description

Context

Consider following namespaces on the instance:

  • team1-prod
  • team2-prod
  • team3-prod

and following rego policy

package flipt.authz.v1
import rego.v1

default allow := false

allow if {
    claims := json.unmarshal(input.authentication.metadata["io.flipt.auth.claims"])
    "member-team1" in claims.roles
    input.request.namespace == "team1-prod"
}

Problem

On the first page load after authentication, the UI becomes unusable:

  • The namespace dropdown is not populated
  • Navigation to other namespaces is not possible
  • In browser's network tab, the request GET /api/v1/namespaces failed with 403 error

Workaround

As a workaround, read rights to default namespace has to be granted using the following policy:

package flipt.authz.v1
import rego.v1

default allow := false

allow if {
    claims := json.unmarshal(input.authentication.metadata["io.flipt.auth.claims"])
    count(claims.groups) > 0
    
    input.request.namespace == "default"
    input.request.action == "read"
}

allow if {
    claims := json.unmarshal(input.authentication.metadata["io.flipt.auth.claims"])
    "member-team1" in claims.roles
    input.request.namespace == "team1-prod"
}

Limitation of the Workaround

While this workaround restores basic functionality, the User Experience remains suboptimal:

  • Users are greeted with a view of the default namespace, which they cannot edit (buttons are active)
  • Users must manually navigate to their own namespace via the dropdown
  • The dropdown displays all namespaces, including those the user does not own or have access to

Navigation to other namespace is blocked, but it would be best if resource visibility is aligned with access permission.

Version Info

flipt-1  | Version: v1.52.2
flipt-1  | Commit: 2d6a7e5d981a3077c26b96d481eb1fba147742f2
flipt-1  | Build Date: 2024-12-03T16:36:20Z
flipt-1  | Go Version: go1.23.3
flipt-1  | OS/Arch: linux/arm64

Search

  • I searched for other open and closed issues before opening this

Steps to Reproduce

Setup flipt with following namespaces on the instance:

  • team1-prod
  • team2-prod
  • team3-prod

and following rego policy

package flipt.authz.v1
import rego.v1

default allow := false

allow if {
    claims := json.unmarshal(input.authentication.metadata["io.flipt.auth.claims"])
    "member-team1" in claims.roles
    input.request.namespace == "team1-prod"
}

And authorization provider with member-team1 in claim. Then login with a user with member-team1 role.

Expected Behavior

  • Users are redirected to their any/first assigned namespace upon login or first page load
  • Users can only see the namespaces it has authorization for

Additional Context

Config excerpt:

# ...
authorization:
  required: true
  backend: local
  local:
    policy:
      path: "/var/run/policy.rego"
      poll_interval: 1m

authentication:
  required: true
  session:
    domain: "localhost:8080"
    secure: false
    csrf:
      key: "abcdef1234567890"
  methods:
    token:
      enabled: true
      cleanup:
         interval: 2h
         grace_period: 48h
    oidc:
      enabled: true
      providers:
        azure:
          issuer_url: "XXXX"
          client_id: "XXXX"
          client_secret: "XXXX"
          redirect_address: "http://localhost:8080"
      cleanup:
         interval: 2h
         grace_period: 48h

# ...
@andi4000 andi4000 added the bug label Dec 6, 2024
@andi4000 andi4000 mentioned this issue Dec 6, 2024
Closed
1 task
@andi4000 andi4000 changed the title [Bug]: UI is unusable without granting read rights to default namespace [Bug]: Authz: UI is unusable without granting read rights to default namespace Dec 6, 2024
This was referenced Dec 8, 2024
Merged
Merged
Merged
@erka erka closed this as completed in ea9a266 Dec 18, 2024
@github-project-automation github-project-automation bot moved this to Done in Roadmap Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Roadmap
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(authz): support namespaces filtering flipt-io/flipt
1 participant
@andi4000