Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Default App Viewer role for public applications grants production access to whole workspace #33354

Open
1 task done
Akatroj opened this issue May 10, 2024 · 2 comments
Open
1 task done

[Bug]: Default App Viewer role for public applications grants production access to whole workspace #33354

Akatroj opened this issue May 10, 2024 · 2 comments
Assignees
@Nikhil-Nandagopal @pranavkanade @infinitetrooper @riteshkew
Labels
Bug Something isn't working Community Reported issues reported by community members Needs Triaging Needs attention from maintainers to triage Production RBAC Issues, requests and enhancements around RBAC. Team Managers Pod Issues that team managers care about for the security and efficiency of their teams

Comments

@Akatroj
Copy link

Akatroj commented May 10, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Description

I'll start by saying I have been on a call yesterday with your team regarding an issue I had. My workspace got bugged and it had the default "App viewer" role configured, despite no application being public. We have fixed this issue by unassigning this role through mongoDB, but I am filing a bug report, because I believe that there is a serious issue with how the public App Viewer role works.

Because the default "App Viewer" role has access to every application in workspace, and these permissions are assigned to the workspace even if only 1 application in this workspace is public, then:

Any role that gives only staging access to this workspace environments, will also give users production access - this happens through the "App viewer" role.

If we have an environment with several applications, only one of which is shared, it makes no sense that the whole workspace will be treated as public and every application will be affected.

I have confirmed my theory and I have provided reproduction steps:

Steps To Reproduce

  1. Create a workspace with 2 applications - let's name them "Shared" and "Not shared".
  2. Configure 2 environments in this workspace - staging and production
  3. Configure the "Shared" application so that it is public via URL.
  4. Create a "staging" role.
    • In the "Application resources" tab, give it edit access to "Not shared" only.
    • In the "Data sources & environments" tab, give it access to datasources, but in "Staging" environment only
  5. Create a user and give him this "Staging role"
  6. When you login as this new user, you can see view access to "Shared" and edit access to "Not shared".
  7. When you go to edit mode for "Not shared", you can switch the environments to production, despite the fact your role does not have access to production environment.

Public Sample App

No response

Environment

Production

Severity

Critical (Broken Production apps)

Issue video log

No response

Version

Self-hosted v1.21
@Akatroj Akatroj added Bug Something isn't working Needs Triaging Needs attention from maintainers to triage labels May 10, 2024
@Nikhil-Nandagopal Nikhil-Nandagopal added Community Reported issues reported by community members Critical This issue needs immediate attention. Drop everything else Production RBAC Issues, requests and enhancements around RBAC. labels May 10, 2024
@github-actions github-actions bot added the Team Managers Pod Issues that team managers care about for the security and efficiency of their teams label May 13, 2024
@paulschmeida
Copy link

Can someone recommend a workaround in the meantime?

@sondermanish
Copy link
Contributor

@paulschmeida We have logged the issue here: #33357.
We are trying to fix the issue. However that would be up with coming releases, we will try to find a workaround in the meantime to unblock.

@riteshkew riteshkew removed the Critical This issue needs immediate attention. Drop everything else label May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Nikhil-Nandagopal Nikhil-Nandagopal

@pranavkanade pranavkanade

@infinitetrooper infinitetrooper

@riteshkew riteshkew

Labels
Bug Something isn't working Community Reported issues reported by community members Needs Triaging Needs attention from maintainers to triage Production RBAC Issues, requests and enhancements around RBAC. Team Managers Pod Issues that team managers care about for the security and efficiency of their teams
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@Nikhil-Nandagopal @pranavkanade @paulschmeida @infinitetrooper @riteshkew @Akatroj @sondermanish