[MXS-3783] User access control in MaxGUI Created: 2021-09-24  Updated: 2022-08-04  Resolved: 2022-04-22

Status: Closed
Project: MariaDB MaxScale
Component/s: maxgui
Affects Version/s: 6.1.1
Fix Version/s: 22.08.0

Type: New Feature Priority: Minor
Reporter: M.B. Assignee: Duong Thien Ly
Resolution: Fixed Votes: 0
Labels: None
Environment:

Ubunut 20.04
MaxScale 6.1.1

Issue Links:
Relates
relates to MXS-3853 Manage MaxScale users in MaxGUI Closed
Sprint: MXS-SPRINT-155

 Description   

Currently the GUI allows you to attempt all operations that modify the configuration even if we know they will fail due to a lack of permissions. Graying out the buttons that do these modifications would signal the user that it requires more privileges to attempt it.

Original description:

Hi,

i created a basic user, followed these guide:

https://mariadb.com/kb/en/mariadb-maxscale-25-mariadb-maxscale-administration-tutorial/#managing-maxctrl-and-rest-api-users

But in MaxGui and CLI im able to use maxctrl or do some modifications via GUI with my "test" user.

Is this a bug or did i something wrong?

my passwd looks like:

[

{"name": "test", "account": "basic", "password": "$6$MX...yz1"}

,

{"name": "admin", "account": "admin", "password": "$6$MX...yz1"}

]

I just need a user for dashboard readonly.

Thy

 Comments   
Comment by markus makela [ 2021-09-27 ]

What modifications can you do?

Comment by markus makela [ 2021-10-11 ]

fettfoen can you specify what you did? The actions you did aren't clear from the issue description.

Comment by M.B. [ 2021-10-11 ]

I can click "+create new" and able to create server, monitor, filter . . .

It is also possible to navigate to "Settings" and do some parameters modifications.

BR
M.B.

Comment by markus makela [ 2021-10-11 ]

Hmm, that's definitely not what it should do. Can you verify that you do this with the correct user by enabling log info by adding log_info=true under [maxscale] section?

Comment by M.B. [ 2021-10-12 ]

hi markus,

guess i have to correct myself. I enabled the "log_info" and tried to modify a parameter like "skip_permission_checks" from "false" to "true". It didn't work.

LOG:
warning: (authorize_user): Authorization failed for 'test', request requires administrative privileges. Request: PATCH /maxscale

Maybe i was a little bit confused cause i can see and do the modifuications but it cancel my action during the last step with an permission error.

Wouldn't it be better not to give an unprivileged user the option to edit? Or hide the "Create New" button?

I suspect the bug (that it is not a bug) can be closed, that it is more of a GUI improvement?

thanks for help and time

Comment by markus makela [ 2021-10-12 ]

OK, it makes sense now: the GUI does not prevent you from attempting the operation even if the account you are using is just a basic user. This is expected behavior so I'll change this to a feature request and edit the description.

Comment by M.B. [ 2021-10-12 ]

Thank you very much. Sorry for the bug report. At first glance it had looked like this.

Comment by markus makela [ 2021-10-12 ]

No problem, this was an easy thing to mix up as a bug. We appreciate the time you took to file the report and test the behavior.

Generated at Thu Feb 08 04:23:55 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.