search

apache / trafficcontrol

Apache Traffic Control is an Open Source implementation of a Content Delivery Network
https://trafficcontrol.apache.org/
Apache License 2.0
1.02k stars 339 forks source link

TO Tenancy/Users/Roles improvements #4064

Open rawlinp opened 4 years ago

rawlinp commented 4 years ago

I'm submitting a ...

Traffic Control components affected ...

Current behavior:

  1. users can change their own tenant (only to a child of their existing tenant)
  2. users within a tenant have the ability to edit that tenant itself (e.g. set the tenant to inactive)
  3. users can change their own role (only to a role with equal or lower priv_level)
  4. users with a certain role have the ability to edit that role itself (e.g. lower the priv_level)

Expected / new behavior:

The above behaviors should be prohibited. For the most part, I cannot think of a valid use case for any of the above behaviors, and it seems like an accident waiting to happen. For example, a user could accidentally inactivate their own tenant, preventing the entire tenant from making changes to their tenantable resources. This would require someone above their tenant to reactivate. In general, Tenants should only be editable by users in a parent Tenant (or above).

Minimal reproduction of the problem with instructions:

The basic behaviors can be reproduced easily through Traffic Portal (starting role should be admin so that you actually have permission to edit roles in the first place).

  1. click username at top right > manage user profile > change tenant to a child tenant > update
  2. user admin > tenants > click your tenant > set to inactive > update
  3. click username at top right > manage user profile > change role to something lower > update
  4. user admin > roles > click your role > change description > update
mitchell852 commented 4 years ago

also related - extend tenancy to change log entries to prevent tenancy leakage - https://github.com/apache/trafficcontrol/issues/941