#4 non-admin user cannot edit/delete credential (mysql-backend)

open
nobody
None
5
2010-08-11
2010-08-11
VT_Roman
No

Hi Andy,

today, I upgraded from 0.4.4 to the last recent version (0.6.5) on my dev-system. After restart of the tomcat-server, I got the message, that I should create a new empty database, and then make a system import from ver. 0.1.x, may this should be added in the upgrade documentation for 0.6.x...

After that, I see, that I´ve the same problem as described in artifact no. 2911474 again ( before upgrade from 0.1.8 to 0.4.4):

A non admin-user cannot edit/delete a credential, he has created before. After saving the new credential, there are no edit or delete buttons. I use mysql 5.0 as db-backend.

If you need more information, please let me know

best regards
Roman

Discussion

  • VT_Roman
    VT_Roman
    2010-08-11

    • summary: non-admin user cannot edit/delete label (mysql-backend) --> non-admin user cannot edit/delete credential (mysql-backend)
     
  • Andres Galeano
    Andres Galeano
    2010-08-12

    Hi there Roman,

    I really thought I had this one reproduced and fixed. OK. Well I tested again as a non-admin on my mysql database and I was able to create and delete credential accounts.

    Using Corporate Vault as a non-admin I created an account. Then looked at in directly in the mysql database:

    mysql> select * from vs_credential where lower(username) like '%delete%';
    +-----+-------+-------+-------+-----------+--------------------------+---------------+---------+------+----------+
    | id | email | host | notes | op_sys_id | password | sync_password | type_id | url | username |
    +-----+-------+-------+-------+-----------+--------------------------+---------------+---------+------+----------+
    | 196 | NULL | fdsaf | NULL | NULL | jEdZM34OzfWOU6yXDdiAGg== | | 5 | NULL | delete5 |
    +-----+-------+-------+-------+-----------+--------------------------+---------------+---------+------+----------+
    1 row in set (0.00 sec)

    Then I used Corporate Vault to delete that account, and double checked that it was acutally deleted:

    mysql> select * from vs_credential where lower(username) like '%delete%';
    Empty set (0.00 sec)

    I was using mysql 5.0.67

    mysql> SELECT VERSION();
    +-------------------+
    | VERSION() |
    +-------------------+
    | 5.0.67-0ubuntu6.1 |
    +-------------------+
    1 row in set (0.00 sec)

    So I'm a bit stuck on why this isn't working for you. Do you have an errors in the logs again when this happens? that may help.

    Cheers,
    -Andy

     
  • VT_Roman
    VT_Roman
    2010-08-13

    Hi Andy,

    I´m using mysql-version "5.0.18-standard-log". I´m adding another non-admin user called "delete5":

    mysql> select * from vs_user where lower(username) like '%dele%';
    +----+-----------------+----------------+------------+---------+----------------------------------+------------------+----------+
    | id | description | email | email_show | enabled | passwd | user_real_name | username |
    +----+-----------------+----------------+------------+---------+----------------------------------+------------------+----------+
    | 11 | Testuser delete | user@localhost | | | 9fc8a072aa455e7f8a0c51d07404b594 | Testing Deletion | delete5 |
    +----+-----------------+----------------+------------+---------+----------------------------------+------------------+----------+
    1 row in set (0.00 sec)

    Now I create a new credential:

    ysql> select * from vs_credential where lower(username) like '%delete%';
    +----+-------+------+-------+-----------+--------------------------+---------------+---------+------+----------+
    | id | email | host | notes | op_sys_id | password | sync_password | type_id | url | username |
    +----+-------+------+-------+-----------+--------------------------+---------------+---------+------+----------+
    | 18 | NULL | NULL | NULL | NULL | 7a9DppgnsQ0wRjvSJSp1mQ== | | NULL | NULL | delete5 |
    | 19 | NULL | NULL | NULL | NULL | 4FVndLtyodtmcgfEqEpRoA== | | NULL | NULL | delete5 |
    +----+-------+------+-------+-----------+--------------------------+---------------+---------+------+----------+

    But I cannot delete the credentials, because I ´ve no "delete" oder "edit" Button in CorporateVault..., may you can give me some sql-statements to check the permissions for the credentials directly in the mysql-db?

    I´ll do some other testing with other versions...

    best regards
    Roman

     
  • VT_Roman
    VT_Roman
    2010-08-13

    Hi again Andy,

    I did some further testings with several versions (by upgrading the war-File in the webapps-Dir)

    All versions up to 0.4.7 are OK and I can delete or edit credentials as non-admin user.

    After upgrade to 0.6.0 and import the content(from 0.4.7), the non-admin user has only a "back" Button, so editing or deleting a credential is impossible...

    Neither mysql-log nor tomcat logs reporting errors...

    Which part of the code controls the display of the buttons...?

    Thank you
    Roman

     
  • Thank you for your patience on this.. I'm sure we'll get it.

    So.. when you use one of the latest versions, say 0.6.5, or 0.6.6. and as a non-admin create a credential, the next screen you see should be the "Show Credential Account" page.

    On that page, you're saying you do not see the "Edit" and "Delete" buttons..

    So.. those buttons appear if the user has "Full" access to the credential, versus "read only" access. Of course if the user created the account, the user, even a non-admin user, is supposed to have Full access.

    On the Show page, after you create a brand new credential as a non-admin, can you tell me what it says for "Grants:" and "Permission:" ? It *should* be saying something like:
    "Grants: 'Full' granted to smith on delete7"
    and
    "Permission: Full"

    This should be a another hint as to what is failing...

    Thanks,
    -Andy

     
  • VT_Roman
    VT_Roman
    2010-08-16

    screenshot after creating a new credential

     
    Attachments
  • VT_Roman
    VT_Roman
    2010-08-16

    Hi Andy,

    I´ve created a brand new credential "cred10" with a non-admin user called "testuser".
    After saving, the user "testuser" has full access to this credential (see added screenshot), but no edit oder delete button...

    I ´ve a look in the mysql-table "vs_grant" directly:

    mysql> select * from vs_grant where resource_id = 221;
    +----+---------+-------------+---------------+-------------+
    | id | version | accessor_id | permission_id | resource_id |
    +----+---------+-------------+---------------+-------------+
    | 25 | 0 | 8 | 2 | 221 |
    +----+---------+-------------+---------------+-------------+
    1 row in set (0.00 sec)

    BTW: I´ve a look in the mysql-db on my production-system and noticed, that the order of the columns has changed between 0.4.x and 0.6.x

    Thanks

    Roman

     
  • VT_Roman
    VT_Roman
    2010-08-16

    Hi Andy,

    I ´ve activated the query-log option for the mysql and have a look at the Queries from corporate-vault. I find the following query (show on the brand new credential):

    select this_.id as id18_1_, this_.version as version18_1_, this_.accessor_id as accessor3_18_1_, this_.permission_id as permission4_18_1_, this_.resource_id as resource5_18_1_, permission1_.id as id12_0_, permission1_.version as version12_0_, permission1_.can_edit as can3_12_0_, permission1_.name as name12_0_, permission1_.rank as rank12_0_ from vs_grant this_ left outer join vs_permission permission1_ on this_.permission_id=permission1_.id where ((this_.resource_id=222) and (this_.accessor_id=8 )) order by permission1_.rank desc

    I execute this query directly and get the following output:

    +---------+--------------+-----------------+-------------------+-----------------+---------+--------------+------------+-----------+-----------+
    | id18_1_ | version18_1_ | accessor3_18_1_ | permission4_18_1_ | resource5_18_1_ | id12_0_ | version12_0_ | can3_12_0_ | name12_0_ | rank12_0_ |
    +---------+--------------+-----------------+-------------------+-----------------+---------+--------------+------------+-----------+-----------+
    | 26 | 0 | 8 | 2 | 222 | 2 | 0 | | Full | 20 |
    +---------+--------------+-----------------+-------------------+-----------------+---------+--------------+------------+-----------+-----------+
    1 row in set (0.00 sec)

    I´m not sure, but is it possible that the result of the column "can3_12_0_" have to be b(1) to get the edit/delete button, and not b(0) ?

    I´m playing something around with this query and get the result I expected with a "right outer join" instead of the "left outer join"

    best regards
    Roman

     
  • Hi Roman,

    Hmm.. that's very interesting. I thought the same variable that stores if you have "full" access also decides to show the "edit" and "delete" buttons. I guess not.. I'll have to look at that more carefully.

    That's a big clue... (and so is the 'right outer join' you mentioned). Unfortunately I'm swamped with other work at the moment... but I will get back to this soon. Sorry for the delay..

    -Andy