Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Root user cannot rotate principal credentials #624

Open
Gerrit-K opened this issue Jan 8, 2025 · 3 comments
Open

Root user cannot rotate principal credentials #624

Gerrit-K opened this issue Jan 8, 2025 · 3 comments
Labels
bug Something isn't working

Comments

@Gerrit-K
Copy link
Contributor

Gerrit-K commented Jan 8, 2025

Describe the bug

When trying to rotate a principal's credentials via the root user, an HTTP error with code 403 is returned:

{"error":{"message":"Principal 'root' with activated PrincipalRoles '[]' and activated grants via '[service_admin]' is not authorized for op ROTATE_CREDENTIALS","type":"ForbiddenException","code":403}}

To Reproduce

  1. Deploy locally via docker compose up --build
  2. Note down the root principal credentials and store them in a shell variable, e.g. 
    CLIENT_ID=f69f1990657205d9
CLIENT_SECRET=e89026b4e87d60b7bd6ea75adb16e6f8
  3. Get an access token for the root principal 
    TOKEN="$(curl --request POST "http://localhost:8181/api/catalog/v1/oauth/tokens?grant_type=client_credentials&scope=PRINCIPAL_ROLE%3AALL&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}" \
--header 'content-type: application/x-www-form-urlencoded' \
| jq -r .access_token)"
  4. Create a new principal 
    curl --request POST http://localhost:8181/api/management/v1/principals \
--header "Authorization: Bearer $TOKEN" \
--header "Content-Type: application/json" \
-d '{"name": "test"}')"
  5. Try to rotate the credentials of the new principal using the same token as it was created with 
    curl --request POST http://localhost:8181/api/management/v1/principals/test/rotate \
--header "Authorization: Bearer $TOKEN"

Actual Behavior

The service returns a 403 response

{"error":{"message":"Principal 'root' with activated PrincipalRoles '[]' and activated grants via '[service_admin]' is not authorized for op ROTATE_CREDENTIALS","type":"ForbiddenException","code":403}}

Expected Behavior

The principal credentials should successfully be rotated

Additional context

No response

System information

No response
@Gerrit-K Gerrit-K added the bug Something isn't working label Jan 8, 2025
@eric-maynard
Copy link
Contributor

IIRC this is by design, users can rotate their own credentials but root cannot change them.

@Gerrit-K
Copy link
Contributor Author

Hm, that seems a bit strange to me, to be honest 🤔 A not-so-rare use case for secret rotation is to restore access after credentials have been lost (by whatever means). If the root principal cannot do this, then there is literally no way to recover credentials, so the principal needs to be deleted and a new one set up, including setting up all the roles and permissions.

@dimas-b
Copy link
Contributor

dimas-b commented Jan 11, 2025
edited
Loading

I agree with @Gerrit-K . Having "root" capable of resetting any principal's passwords is a valuable feature (whether it falls under the "rotate credentials" API or gets a new API endpoint).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Gerrit-K @eric-maynard @dimas-b