Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

using user-agent in RBAC rules can lead to 500 errors #34

Open
arekinath opened this issue Nov 20, 2019 · 0 comments
Open

using user-agent in RBAC rules can lead to 500 errors #34

arekinath opened this issue Nov 20, 2019 · 0 comments

Comments

@arekinath
Copy link
Contributor

Currently if I create an RBAC rule that's conditional on the "user-agent" header, any request that tries to run that rule which doesn't have a user-agent header sent causes a 500, which looks like this in the muskie logs:

    InternalError: an unexpected error occurred; caused by MissingConditionError: missing condition in context: "user-agent"
        at Server.authorize (/opt/smartdc/muskie/lib/auth.js:1172:26)
        at next (/opt/smartdc/muskie/node_modules/restify/lib/server.js:731:30)
        at f (/opt/smartdc/muskie/node_modules/once/once.js:16:25)
        at Server.storageContext (/opt/smartdc/muskie/lib/auth.js:1111:5)
        at next (/opt/smartdc/muskie/node_modules/restify/lib/server.js:731:30)
        at f (/opt/smartdc/muskie/node_modules/once/once.js:16:25)
        at /opt/smartdc/muskie/lib/common.js:547:17
        at /opt/smartdc/muskie/node_modules/vasync/lib/vasync.js:96:5
        at /opt/smartdc/muskie/lib/common.js:466:25
        at /opt/smartdc/muskie/lib/common.js:588:25
    Caused by: MissingConditionError: missing condition in context: "user-agent"
        at new MissingConditionError (/opt/smartdc/muskie/node_modules/mahi/node_modules/aperture/lib/errors.js:58:19)
        at Evaluator.evaluateCondition (/opt/smartdc/muskie/node_modules/mahi/node_modules/aperture/lib/evaluator.js:141:15)
        at Evaluator.evaluateOne (/opt/smartdc/muskie/node_modules/mahi/node_modules/aperture/lib/evaluator.js:67:14)
        at /opt/smartdc/muskie/node_modules/mahi/node_modules/aperture/lib/evaluator.js:82:22
        at Array.some (native)
        at Evaluator.evaluate (/opt/smartdc/muskie/node_modules/mahi/node_modules/aperture/lib/evaluator.js:81:22)
        at MahiClient.authorize (/opt/smartdc/muskie/node_modules/mahi/lib/client.js:596:24)
        at Object.authorize (/opt/smartdc/muskie/node_modules/libmanta/lib/auth.js:148:14)
        at Server.authorize (/opt/smartdc/muskie/lib/auth.js:1131:18)
        at next (/opt/smartdc/muskie/node_modules/restify/lib/server.js:731:30)

I think we should initialise the "user-agent" field to an empty string in the conditions if not present so that such rules don't cause 500 errors.
arekinath added a commit to arekinath/manta-muskie that referenced this issue Nov 20, 2019
@arekinath
TritonDataCenter#35 want ability to use "referer" header in RBAC rules
a68c2b0 
TritonDataCenter#34 using user-agent in RBAC rules can lead to 500 errors
@arekinath arekinath mentioned this issue Nov 20, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@arekinath