Policy Permit Privileges without brackets doesn't produce an error
jvanderhoof opened this issue · comments
Summary
This issue arose from a customer call. The customer had created a Permit
in the following form:
- !permit
role: !group bar-reader
privileges: read, execute
resource: !variable bar
instead of the correct form:
- !permit
role: !group bar-reader
privileges: [ read, execute ]
resource: !variable bar
When the customer attempted to retrieve the variable value, they received an error that the host did not have execute permission.
Steps to Reproduce
These steps were run using the conjurdemos/dap-intro project.
- Start a DAP instance:
bin/dap --provision-master
. - Navigate to the Conjur UI using Firefox (Chrome blocks the ability to accept unknown certificates).
- Create a bad policy file:
# policy/malformed-permission-list/bad-policy.yml - !policy id: default body: - !host foo - !variable bar - !group bar-reader - !permit role: !group bar-reader privileges: read, execute resource: !variable bar - !grant member: !host foo role: !group bar-reader
- Load the Policy into Conjur:
bin/cli conjur policy load root policy/malformed-permission-list/bad-policy.yml
- Copy the created API key for the
default/foo
host and save it for future use. - Navigate to the Variable
bar
in the UI: https://localhost/ui/secrets/default%2Fbar - Note that the Group
default/bar-reader
appears to have read/execute permission, which means members of that group (including thedefault/foo
host) should be able to see and view the value ofdefault/bar
:
- Logout of the UI
- Login to the UI using the username
host/default/foo
, and the API key captured above. - Try to view the variable
default/bar
in the UI: https://localhost/ui/secrets/default%2Fbar. - Notice that the page is white. Looking at the docker logs for the leader, not the following line:
Completed 403 Forbidden
- Create a good version of the policy file:
# policy/malformed-permission-list/good-policy.yml - !policy id: default body: - !host foo - !variable bar - !group bar-reader - !permit role: !group bar-reader privileges: [ read, execute ] resource: !variable bar - !grant member: !host foo role: !group bar-reader
- Load the fixed file:
bin/cli conjur policy load root policy/malformed-permission-list/good-policy.yml
- Reload the Variable page in Firefox, and note that the page loads as expected.
Expected Results
Privileges in policy are technically allowed to be anything. We use the strings read
, execute
, and update
to define permissions enable a variable to be shown, see the variable value, and update a value.
Setting the privileges to a string instead of an array is technically permitted, but feels at odds with the intended outcome. I propose the following change:
privileges
values must be provided as an array.privilege
(if supported) must be provide as a string.privileges
/privilege
values only support non-accented alphabetic characters.
Actual Results
A clear and concise description of what actually did happen. Include logs and
screens shots, whenever possible
Reproducible
- Always
- Sometimes
- Non-Reproducible
Version/Tag number
What version of the product are you running? Any version info that you can
share is helpful. For example, you might give the version from Docker logs,
the Docker tag, a specific download URL, the output of the /info
route, etc.
Environment setup
- Can you describe the environment in which this product is running? Is it running on a VM / in a container / in a cloud?
- Which cloud provider? Which container orchestrator (including version)?
- The more info you can share about your runtime environment, the better we may be able to reproduce the issue.
Additional Information
Add any other context about the problem here.