Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a READER role that gives read access to users and groups info #842

Open
wants to merge 40 commits into
base: develop
Choose a base branch
from
Open

Add a READER role that gives read access to users and groups info #842

wants to merge 40 commits into from

Conversation

garaimanoj
Copy link
Contributor

No description provided.

@garaimanoj garaimanoj self-assigned this Sep 9, 2024
@garaimanoj garaimanoj linked an issue Sep 9, 2024 that may be closed by this pull request
ROLE_READ to allow seeing account details of all users #794
Open
@garaimanoj garaimanoj marked this pull request as ready for review September 11, 2024 14:19
@rmiccoli rmiccoli changed the title Issue 794 role reader Add ROLE_READER Sep 12, 2024
@rmiccoli
Copy link
Contributor

I notice that a user with monitoring privileges (ROLE_READER) is not able to access to /scim/Users and /iam/scope_policies - they get 403. Is it intentional?

Also, user can try to remove members from a group getting, of course, a 403 error after clicking. Should the Remove button be hidden?

enricovianello
enricovianello approved these changes Sep 13, 2024
View reviewed changes
Copy link
Member

@enricovianello enricovianello left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems to me all ok

@enricovianello enricovianello changed the title Add ROLE_READER Add a READER role that gives read access to users and groups info Sep 13, 2024
enricovianello
enricovianello approved these changes Sep 13, 2024
View reviewed changes
Copy link
Member

@enricovianello enricovianello left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes are ok to me and I have nothing to correct 👍
Coverage is ok but we didn't add specific tests about this role. I'd say it's important to add some specific tests in particular that check those users are not allowed to get for example x509 PEM certificates of these users. But the real problem is that admins currently can see them and probably what we wants is that both admins and readers can't access them and tests should be oriented to this behavior. Then, probably, we need a different issue that addresses this change, which is more complex: currently there are no views on SCIM model objects. This change is required before introducing this READER role. I'm realizing this now. We can talk about this during today IAM community meeting.

@enricovianello enricovianello added the component/db Issue that includes one or more db migrations label Sep 13, 2024
@garaimanoj
Copy link
Contributor Author

I notice that a user with monitoring privileges (ROLE_READER) is not able to access to /scim/Users and /iam/scope_policies - they get 403. Is it intentional?

Also, user can try to remove members from a group getting, of course, a 403 error after clicking. Should the Remove button be hidden?

Now ROLE_READER can access to /scim/Users and /iam/scope_policies. Remove button has been disabled.

@rmiccoli
Copy link
Contributor

Quality Gate Passed Quality Gate passed

Issues 59 New issues 0 Accepted issues

Measures 0 Security Hotspots 100.0% Coverage on New Code 0.0% Duplication on New Code

See analysis details on SonarCloud

Try to solve these issues where possible

@garaimanoj
Copy link
Contributor Author

garaimanoj commented Sep 16, 2024
edited
Loading

Organization Management is available in sidebar menu when registration is enabled. I have added additional check for READER.
image

@garaimanoj
Copy link
Contributor Author

garaimanoj commented Sep 16, 2024
edited
Loading

These changes are ok to me and I have nothing to correct 👍 Coverage is ok but we didn't add specific tests about this role. I'd say it's important to add some specific tests in particular that check those users are not allowed to get for example x509 PEM certificates of these users. But the real problem is that admins currently can see them and probably what we wants is that both admins and readers can't access them and tests should be oriented to this behavior. Then, probably, we need a different issue that addresses this change, which is more complex: currently there are no views on SCIM model objects. This change is required before introducing this READER role. I'm realizing this now. We can talk about this during today IAM community meeting.

As of now I have hidden the x509 certificate section from Admin and Reader from UI. Could you please raise an issue with more details regarding the new view of SCIM modal task.

@rmiccoli
Copy link
Contributor

rmiccoli commented Sep 18, 2024
edited
Loading

These changes are ok to me and I have nothing to correct 👍 Coverage is ok but we didn't add specific tests about this role. I'd say it's important to add some specific tests in particular that check those users are not allowed to get for example x509 PEM certificates of these users. But the real problem is that admins currently can see them and probably what we wants is that both admins and readers can't access them and tests should be oriented to this behavior. Then, probably, we need a different issue that addresses this change, which is more complex: currently there are no views on SCIM model objects. This change is required before introducing this READER role. I'm realizing this now. We can talk about this during today IAM community meeting.

As of now I have hidden the x509 certificate section from Admin and Reader from UI. Could you please raise an issue with more details regarding the new view of SCIM modal task.

Hi Manoj, both admins and users with ROLE_READER should see users' x509 certificates from UI. The idea was to hide only the pem-encoded certificate from SCIM API.

enricovianello
enricovianello requested changes Oct 18, 2024
View reviewed changes
Copy link
Member

@enricovianello enricovianello left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Move V106 migrations to V107 or higher

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

enricovianello and others added 16 commits November 26, 2024 23:24
@enricovianello
Revert "Self-service upload of user certificate (#750)"
aecb995 
This reverts commit ae09f39.
@enricovianello
Revert "Bump version to 1.11.0"
2777efe 
This reverts commit 22faeb3.
@enricovianello
Merge branch 'v1.10.3' into develop
6018c3e
@enricovianello
Bump version to 1.11.0
1e75841
@rmiccoli @enricovianello
Exclude IAM optional groups from VOMS AC (#894)
023f7d0
@enricovianello
Fix CERN lifecycle logic (#896)
118b57e 
- set end time to current date in case user is not found on API
- set ent time to current date when user has no experiment participation at all
@rmiccoli @enricovianello
Find account by certificate sub and iss in VOMS AA (#897)
35240c2
@enricovianello
Avoid NullPointerException
3a51b67
@rmiccoli @enricovianello
Fix code smells
f0d2e11
@enricovianello
Remove Institute label
f015882 
The 64 char limit on label val is not enough to store Institute.
@enricovianello
Log lifecycle handlers start and end with INFO level
40db2f3
@garaimanoj
Delete rogue registration requests without sending a reason (#858)
ac90533 
* Add motivation to the message published into RegistrationRejectEvent
@enricovianello
Prevent the issue of broken SAML login flow
7d59c22
@rmiccoli
Add MFA support for local credentials (#733)
2f900ff
@enricovianello
Add 1.11.0 to CHANGELOG
1348b1c
@garaimanoj
Merge branch 'develop' into issue-794-role-reader
3c53809
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Mar 4, 2025

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rmiccoli rmiccoli Awaiting requested review from rmiccoli

@enricovianello enricovianello Awaiting requested review from enricovianello

Requested changes must be addressed to merge this pull request.

Assignees

@garaimanoj garaimanoj

Labels
component/db Issue that includes one or more db migrations kind/feature status/changes-requested status/in-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ROLE_READ to allow seeing account details of all users
4 participants
@garaimanoj @rmiccoli @enricovianello @darcato