Removing a label created by another user doesn't work

Question

Removing a label created by another user doesn't work

atkinsj opened this issue 4 years ago · comments

I'm unable to remove labels on hosts. v3.4.0.1 server and clients.

Add label to host
Try to remove label from host
Label is not removed

mbushkov · Answer 1 · Thu May 14 2020 01:47:27 GMT+0800 (China Standard Time)

Thanks for the report!
I suppose you do it from the UI. If you open Chrome Dev tools, do you see anything suspicious, like Javascript errors in the console or network errors in the Network tab?

atkinsj · Answer 2 · Thu May 14 2020 01:51:22 GMT+0800 (China Standard Time)

Nothing in the console, I did try the API via Python as well: client.RemoveLabel(label) but it has no effect.

mbushkov · Answer 3 · Thu May 14 2020 02:05:55 GMT+0800 (China Standard Time)

Hm, I can't reproduce on a fresh v3.4.0.1 deployment.

Two questions:

In the console, what is the output of client.data.labels? Who is the owner of the label?
If you run the AdminUI in verbose mode (see https://grr-doc.readthedocs.io/en/latest/installing-grr-server/troubleshooting.html#any-some-of-the-grr-services-are-not-running-correctly), do you see anything suspicious logged to the terminal?

atkinsj · Answer 4 · Thu May 14 2020 02:08:21 GMT+0800 (China Standard Time)

Huh, so the owner of the label is a user other than me. Am I only able to remove labels added by myself?

Our deployment makes restarting the server with --verbose a little more difficult, will have to give that a shot later.

mbushkov · Answer 5 · Thu May 14 2020 03:15:00 GMT+0800 (China Standard Time)

@atkinsj - yes, I think the owner issue is the root cause:
https://github.com/google/grr/blob/master/grr/server/grr_response_server/gui/api_plugins/client.py#L641

The code removes the label only for the user who makes the request. This sounds like a regression: IIRC, we didn't have this limitation in AFF4.