Closed
Bug 931242
Opened 12 years ago
Closed 12 years ago
More fine grained permissions for access to sensitive data
Categories
(Socorro :: Webapp, task)
Socorro
Webapp
Tracking
(Not tracked)
VERIFIED
FIXED
66
People
(Reporter: peterbe, Assigned: peterbe)
References
Details
(Whiteboard: [Config changes][qa+])
Attachments
(4 files)
List of all users
At the moment, all logic for whether you can access certain things (emails, URLs, Admin UI, admin UI actions) is based on whether you succeeded to log in or not.
Instead we should allow anybody to log in but all access should be blocked by permissions.
We also need to attach permissions to groups and groups to people. For this we need an Admin UI.
|
Assignee | |
Updated•12 years ago
|
Assignee: nobody → peterbe
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 1•12 years ago
|
||
|
|
Assignee | |
Comment 2•12 years ago
|
||
|
|
Assignee | |
Comment 3•12 years ago
|
||
I need some brainstorming guidance on this now...
I've thrown out all the LDAP stuff and built an admin view for managing users which makes it possible to promote a "nobody" user to belong to a group or groups. These groups then map to permissions and it's these permissions we refer to within the business logic throughout the site. E.g.::
{% if request.user.has_perm('view_email') %}
Email: {{ crash.email }}
{% endif %}
What I need help with is the initial set of permissions and groups that we're going to ship and attach the business logic to. Here's what I've got so far::
PERMISSIONS = {
'view_pii': 'View Personal Identifyable Information',
'view_rawdump': 'View Raw Dumps',
}
GROUPS = (
('Hackers', ('view_pii', 'view_rawdump')),
)
Hopefully the names of that will make sense. This basically makes 1 group available called "Hackers".
Not a great name, is it?
Are there other group configurations you can imagine we should ship by default?
As for the Admin UI, I made ALL of the admin related views and actions depend on you being a superuser so that won't depend on groups. Is that good enough?
|
||
Comment 4•12 years ago
|
||
Right now, IMHO, we should have an "Admin" group for people who can access the admin UI, a "PII" group (for lack of a better name) that can view URLs and emails, and a "Rawdump" group (we could name it "developers" if you like but I find it confusing if the group name doesn't tell you which kind of permissions is behind it) for people who can access the raw dump. The latter may still need to correspond to an LDAP flag as AFAIK Apache is guarding that access ultimately right now.
|
||
Comment 5•12 years ago
|
||
We will want a group for "can view exploitability results".
|
|
Assignee | |
Comment 6•12 years ago
|
||
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #4)
> Right now, IMHO, we should have an "Admin" group for people who can access
> the admin UI, a "PII" group (for lack of a better name) that can view URLs
> and emails, and a "Rawdump" group (we could name it "developers" if you like
> but I find it confusing if the group name doesn't tell you which kind of
> permissions is behind it) for people who can access the raw dump. The latter
> may still need to correspond to an LDAP flag as AFAIK Apache is guarding
> that access ultimately right now.
Thanks. That helps.
But do you mind that I use a "is superuser" attribute instead of doing group membership for accessing any /admin/* URLs.
|
|
Assignee | |
Comment 7•12 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #5)
> We will want a group for "can view exploitability results".
Excellent idea!
That's a great permission name. Any preference what we should call this group?
|
|
||
Comment 8•12 years ago
|
||
(In reply to Peter Bengtsson [:peterbe] from comment #6)
> But do you mind that I use a "is superuser" attribute instead of doing group
> membership for accessing any /admin/* URLs.
I don't care too much as long as we can have multiple people who have access to the admin UI.
|
|
Assignee | |
Comment 9•12 years ago
|
||
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #8)
> (In reply to Peter Bengtsson [:peterbe] from comment #6)
> > But do you mind that I use a "is superuser" attribute instead of doing group
> > membership for accessing any /admin/* URLs.
>
> I don't care too much as long as we can have multiple people who have access
> to the admin UI.
Being a supervisor is like being root on a UNIX systems. No questions asked basically. But like with root, you can't say, for example, "you need this or that permission to write to /some/special/place"
|
|
Assignee | |
Comment 10•12 years ago
|
||
So, instead of nailing the actual groups here and now I built an admin UI thing so you can CRUD groups instead.
The permissions are more or less hardcoded because that's what we use in the business logic and templates to protect things.
|
|
Assignee | |
Comment 11•12 years ago
|
||
|
|
Assignee | |
Comment 12•12 years ago
|
||
CC'ing Adrian because I think you would be the best person to review this monster.
|
|
Assignee | |
Updated•12 years ago
|
Whiteboard: [Config changes needed, see dependent #935594]
|
||
Updated•12 years ago
|
Whiteboard: [Config changes needed, see dependent #935594] → [Config changes]
|
||
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
|
|
||
Comment 13•12 years ago
|
||
Once this has landed webops needs to do 935594
|
|
Assignee | |
Updated•12 years ago
|
Target Milestone: --- → 67
|
||
Comment 14•12 years ago
|
||
Commit pushed to master at https://github.com/mozilla/socorro
https://github.com/mozilla/socorro/commit/e13bd1df32ef36c4981c0f5560e43faa5d2bd4af
fixes bug 931242 - more fine grained permissions on data access, r=adrian
|
|
||
Updated•12 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Updated•12 years ago
|
Target Milestone: 67 → 66
|
|
Assignee | |
Comment 15•12 years ago
|
||
Steps to "reproduce":
1. Go to the home page
2. Click "Sign-in" with Persona. Use a non-mozilla email address that you know is not connected to LDAP.
3. Click on a signature from the Top Crashers, click Report tab. Click on a crash.
Expect:
* You should be able to sign in
* You should have a link in the footer that says "Your permissions". Click that. Expect to see No, No, No on all permissions.
* When looking at a crash you should not be able to see any PII.
The next step would be for someone (e.g. peterbe) to make this user belong to a group with the appropriate permissions and now PII should re-appear and the "Your permissions" page should change.
Whiteboard: [Config changes] → [Config changes][qa+]
|
||
Comment 16•12 years ago
|
||
One way to check the PII permission would be to go to super search, add a new line and try to use the "email" or "url" fields. If they do not appear, that means you don't have the permission to see PII.
|
||
Comment 17•12 years ago
|
||
QA verified on stage -
- /permissions/ link exists in the footer
- https://crash-stats.allizom.org/permissions/ the new permissions panel correctly updates yes/no for the 3 permission levels (exploitability reports, PII, and Raw Dumps)
- Users without permission are not given the filter options in /search/ to query by email or url. The inverse is true; if the account has permission the user will see these options
- Top crasher reports only show the url tab to users with the correct privilege constellation
- individual crashes allow the downloading of raw dumps only to users with those privileges
Not verified - permissions groups other than the "Hackers" group work.
|
|
||
Updated•12 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
|
|
||
Comment 18•12 years ago
|
||
Bumping to QA verified - I created several other groups that represent the available permissions constellations and lgtm.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•