Bug #111
Authentication security of nmv does not seem to work
| Status: | Assigned | Start: | September 23, 2010 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - |
Description
I've set my nexentastor install to always-login for the management interface (NMV).
Or so I thought ;)
After rebooting my machine and starting up firefox there where two pages open from my previous session:
http://nexentastor:2000/status/general/
and
http://nexentastor:2000/data/datasets/volumes/mir/
The first one shows the NMV Login screen as it should. But the second one shows the management interface for the dataset.
While I currently have not found anything that I could change (offlining a disk or saving settings on the page results in a NMV login screen as expected) I can move to other dataset/volumes and look at the information there.
It appears that there is a problem with the security decorators for this page in the NMV turbogears/cheeta application.
Regretfully I'm not able to supply a patch to fix this, as the source code is closed.
History
Updated by Ryan W over 2 years ago
So you want nexenta to re-authenticate when you go to your dataset view? It does exactly what you want if you aren't presently authenticated and try going direct to your dataset.
I don't see a problem here myself.
Updated by Bas van Oostveen over 2 years ago
No that's not what I mean..
I don't want to re-auth, I want it to auth instead of allowing anonymous users to view these pages.
I am logged out. I have no session and am not authenticated.
Now when you go to the view /data/datasets/volumes/{{ somevolume }}/ no authentication is needed.
Anybody can look at this page. Without any form of authentication.
The view should have @login_required set.
Updated by Bas van Oostveen over 2 years ago
To give a more detailed example.
I have opened two browsers, 1x firefox and 1x chrome. I've logged in on firefox and start browsing the NMV interface. Now I copy-paste the URL into chrome, on which I explicitly do not log-in.
During a small browser sessions the following URL's give me a "login" screen:
http://fs:2000/status/general/
http://fs:2000/data/datasets/
But this URL allow me to see details about the server without any restrictions:
http://fs:2000/data/datasets/volumes/tank/
It really sounds to me that there is a simple fix here....
Updated by Stas Kridzanovskiy over 2 years ago
- Status changed from New to Assigned
The bug was created.