search

apache / trafficcontrol

Apache Traffic Control is an Open Source implementation of a Content Delivery Network
https://trafficcontrol.apache.org/
Apache License 2.0
1.08k stars 344 forks source link

Read-only user can create cdns #3164

Closed moltzaum closed 5 years ago

moltzaum commented 5 years ago

Logging in with a read-only user and posting a cdn results in the following:

{
  "alerts": [
    {
      "text": "Forbidden.",
      "level": "error"
    }
  ]
}
{
  "alerts": [
    {
      "text": "cdn was created.",
      "level": "success"
    }
  ],
  "response": {
    "dnssecEnabled": false,
    "domainName": "new_name",
    "id": 2,
    "lastUpdated": "2018-12-27 17:41:25+00",
    "name": "cdn"
  }
}

The odd thing is that there is a forbidden error, but the cdn gets created anyway.

A similar issue is mentioned in #3116, which mentions tenancy as the problem. I did not test this with different tenancies for the read-only user (everything was done with the root tenant). Changing the global use_tenancy parameter did not seem to change anything though.

I doubt this is a tenancy problem, but if it is it might get fixed by #3163.

rob05c commented 5 years ago

It's not related to tenancy.

The "Priv Level" stuff needs removed, as soon as https://github.com/apache/trafficcontrol/pull/2791 is merged, and Tenancy is permanently enabled. But until then, we should certainly fix this bug.