Open qwertzdenek opened 11 months ago
Is there any workaround? I can't use synapse-admin on any of my two servers which both use MAS due to Element-X capability. Any way to access them with admin?
@awesome-manuel I really need to access my server admin panels ... is there any workaround or tweak to log in on a server running MAS?
This is a big issue for me too: I'm not goint into MAS due to the fact I cannot admin the server .
Is there any workaround? I can't use synapse-admin on any of my two servers which both use MAS due to Element-X capability. Any way to access them with admin?
As soon as the adminAPI responses with the first "You are not a server admin", synapse admin will terminate the session (did not check if this behavior is configurable).
There is quite a dirty workaround:
If you temporary block the adminAPI (either on the client- or the server side), the session will be kept open.
Then one can navigate to the compat_sessions
table of the MAS DB and set the Flag is_synapse_admin
for the given session to true.
After unblocking the adminAPI, the session should work as intended.
@schwadim do you have a log of the browser debug console to share?
@awesome-manuel I am working on a testing environment with lots of issues and moving parts. Therefore I doubt that my personal browser debug console would be of any help. But let me know if you want me to provide one anyway.
In essence all I'm doing is:
_synapse/admin
pathURL rule
tab_synapse/admin/
I need to know the exact answer of synpase that you need to block. Maybe this can be detected to be a MAS request.
I am blocking all requests towards /_synapse/admin
as all of them would be answered with the 403 response: {"errcode":"M_FORBIDDEN","error":"You are not a server admin"}
Receiving such a response, synapse-admin silently performs a logout.
If not blocked, the first request leading to a logout happens to be: https://my_synapse/_synapse/admin/v2/users?deactivated=false&dir=f&from=0&guests=true&limit=10&order_by=name
So I'm simply gaining time to actually assign the required permissions to the session. It is just a hacky workaround.
Instead of tweaking the MAS database, one can also generate a new token via mas-cli
and change device_id
and access_token
in the browser local storage while being logged in with blocked /_synapse/admin
path. After reloading and unblocking one is able to work with the new token.
Yet another workaround would be:
mas-cli
access_token
, base_url
, device_id
, user_id
A real OIDC login workflow is required for synapse-admin with MAS. An example could be under certain circumstances
@awesome-manuel Just asking if this is genrally planned to be fixed? Would be great to be able to use Synapse-Admin again after 10 months ... ;-)
First step is to add identifier
to login flow. PR #601
A helpful guide could be: https://areweoidcyet.com/client-implementation-guide/
Prerequisites
Steps to Reproduce
Problem
MAS doesn't let you get "synapse admin" rights through the legacy auth flow, as the legacy flow doesn't have a way to specify whether the session should have the admin rights or not. Best option would be native OIDC implementation in Synapse-Admin to work with MAS.
Or you can add possibility to use static pre-generated admin token which can be issued using CLI.