search

microsoft / AzureStorageExplorer

Easily manage the contents of your storage account with Azure Storage Explorer. Upload, download, and manage blobs, files, queues, tables, and Cosmos DB entities. Gain easy access to manage your virtual machine disks. Work with either Azure Resource Manager or classic storage accounts, plus manage and configure cross-origin resource sharing (CORS) rules.
Creative Commons Attribution 4.0 International
372 stars 85 forks source link

After PIM activation into group membership, Storage Explorer needs Reset > Authentication to pickup new rights #8000

Open austindonnelly opened 3 months ago

austindonnelly commented 3 months ago

Preflight Checklist

Storage Explorer Version

1.34.0 (99)

Regression From

No response

Architecture

x64

Storage Explorer Build Number

20240523.2

Platform

Windows

OS Version

Windows 11 24H2

Bug Description

Our RBAC config for a storage account grants Storage Queue Data Reader role permanently to a group, called QueueReaders - this is for normal monitoring use. If we need to edit the queue, we require users to PIM-activate into membership of a group called QueueWriters. The QueueWriters group is permanently granted Storage Queue Data Contributor access to the storage account, but normally has zero members until someone PIM activates their membership.

This works, but there's a long delay between activating group membership, and being able to operate on the queue in Storage Explorer. This can be sped up by going Help > Reset and resetting the authentication. This then forces a reconnect via the normal Account Management flow, and has the side-effect to getting a new user token.

The user JWT token lists the group memberships as part of the token, so I imagine that the token gets cached, and the effect of elevation isn't seen until the token is refreshed.

Would it be possible to have a "Refresh token" option in the menu somewhere, so we can get a new token faster?

Repro steps:

Steps to Reproduce

  1. Setup RBAC groups as described in the report: a. create a QueueReader group, grant Storage Queue Data Reader to storage account. Add the test user to this group. b. create a QueueWriter group, grant Storage Queue Data Contributor to storage account c. configure QueueWriter group to be a PIM-enabled group, and configure the test user as eligible to activate into a member of the group. d. enqueue a test message into the queue.
  2. Start Storage Explorer. Navigate to the queue. Check you can read the test message.
  3. Attempt to delete the message: permission denied (expected) because you only have QueueReader membership.
  4. PIM activate membership of QueueWriter group.
  5. Attempt to delete the message: permission denied - unexpected, because user is now elevated. BUG.
  6. Help > Reset chose authentication only
  7. Re-add the user account
  8. Attempt to delete the message: delete succeeds

Actual Experience

Delete queue message fails with a permission denied type error

Expected Experience

Delete queue message should succeed.

Additional Context

No response

craxal commented 3 months ago

@austindonnelly Yes, I'm guessing the token contains permission information. The PIM-activate changes the permissions granted to identities in the group, which effectively makes the permission information in the token out-of-date. I can see a manual token refresh being useful.

I don't think a full auth reset should be necessary, though. Can you just sign out and sign back in?

austindonnelly commented 3 months ago

Yes, that works (Remove account, Re-add account). But that's quite heavyweight compared to what I really would like, which is a "Refresh token" menu option.