Inconsistent behavior for parsing roles/members from ldap memberOf
andythsu opened this issue · comments
Description:
Scenario 1:
The /userinfo
request made from the frontend is coming from this line
and the /findQueryHistory
request made from the frontend is coming from this line
The way that these two lines retrieve user memberOf
suggests that memberOf
should return something in the form of ADMIN_USER_API
. The roles array will store user's roles where each element in the array will be user's different role.
Scenario 2:
the way that principal.getMemberOf()
should actually be used is below:
This is suggesting that given an operation, and the privilege required to perform the operation, check if user's memberOf regex matches.
For example, if my principal.getMemberOf()
returns
memberOf: CN=123, ...
memberOf: CN=456, ...
memberOf: CN=789, ...
as long as I set my configuration to
authorization:
admin: .*123.*
user: .*456.*
api: .*999.*
I'm privileged to perform any admin
and user
operation in this case because my regex matches
Problem:
Scenario 1 and Scenario 2 have conflicting format requirement for principal.getMemberOf()
. Satisfying one will break another.
Solution:
either I misunderstand the flow here, or I can send a PR to fix this issue
Could you check is #310 fixed this issue?
For now it works. Will let it sit for a few more days.
issue is fixed with #310