[Geoserver-devel] [JIRA] (GEOS-10074) GeoFence "Admin rules" grant "ADMIN" access to unauthorized users

Gabriel Roldan created an issue

GeoServer / BugGEOS-10074

GeoFence “Admin rules” grant “ADMIN” access to unauthorized users

Issue Type:

BugBug

Affects Versions:

2.19.0

Assignee:

Gabriel Roldan

Attachments:

image-2021-05-21-15-27-39-296.png, image-2021-05-21-15-28-19-481.png

Components:

GeoFence

Created:

21/May/21 8:28 PM

Priority:

MediumMedium

Reporter:

Gabriel Roldan

Initially reported as a geofence issue about a year ago.

The mere existence of Admin Rules grant admin access to all workspaces for which an admin rule exists to all users.

To reproduce:

$ cp -rf data/release /tmp/data_dir
$ mvn -f src/web/app -Pgeofence-server \
-DGEOSERVER_DATA_DIR=/tmp/data_dir  \
-Djava.net.preferIPv4Stack=true \
jetty:run 

Create the following users and roles:

User

Role

sf_admin

SF_ADMIN

sf_user

SF_USER

topp_admin

TOPP_ADMIN

topp_user

TOPP_USER

Set up the following GeoFence “Data Rules”:

Set up the following GeoFence “Admin Rules”:

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100162-sha1:2e82ed7)

Atlassian logo