Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-3014

missing rules for "health" endpoints in access.js

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: OpenIDM 3.2.0
    • Fix Version/s: None
    • Component/s: Module - Authorization
    • Labels:
      None
    • Environment:
      r4923

      Description

      Currently, health service endpoints (created in OPENIDM-2925) have no authorization rules in access.js.
      So we go through this section:

      // openidm-admin can request nearly anything (some exceptions being a few system and repo endpoints)
              {  
                  "pattern"   : "*",
                  "roles"     : "openidm-admin",
                  "methods"   : "*", // default to all methods allowed
                  "actions"   : "*", // default to all actions allowed
                  "customAuthz" : "disallowQueryExpression()",
                  "excludePatterns": "system/*,repo,repo/*"
              },
      

      but in fact, those endpoints should be READ only. This is managed in the Java code, but we could make it more explicit in the configuration with a section like :

              {  
                 "pattern"    : "health/*",
                 "roles"      : "openidm-admin",
                 "methods"    : "read",
                 "actions"    : "*"
              },
      

      and add "health/*" in "excludePatterns" of the previous section.

        Attachments

          Activity

            People

            Assignee:
            andi Andi Egloff
            Reporter:
            laurent.bristiel Laurent Bristiel [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: