MAAS

Ability for non-admins to create tags

Bug #1889467 reported by Ramon Grullon on 2020-07-29

This bug affects 2 people

Affects

Status

Importance

Assigned to

Milestone

MAAS

Triaged

Wishlist

Unassigned

You need to log in to change this bug's status.

Affecting:	MAAS
Filed here by:	Ramon Grullon
When:	2020-07-29
Confirmed:	2020-10-12

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance
	Wishlist

Assigned to

	Nobody
	Me

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

MAAS 2.8
Ubuntu 18.04 LTS

Currently based on the api documentation when setting a tag -
POST /MAAS/api/2.0/tags/{name}/?op=update_nodes

You will get a 403 error as regular user -

HTTP Status Code : 403

Content

Must be a superuser or supply a rack_controller.

There is a case to be made that this ability should not be an administrative tasks only and should be allowed as a non-administrative tasks for regular users.

From customer -

Then please consider this an RFE. Setting tags should not be restricted to administrators (I can see an argument for *creating* tags being administrative). Consider this example use case. MAAS user/roles PSB, MORPHEUS, ADMIN. Both PSB and MORPHEUS are, themselves, infrastructure management systems which parcel systems out to end users. Ideally, neither PSB nor MORPHEUS should be able to take over each others systems (so should NOT be administrators). But if they aren't administrators, they can't use the tagging system (e;g. to mark a machine as needing non-MAAS remediation (see our cases about Dell BOSS, MAAS deficiencies in sanitizing NVMe, DELL BOSS, Dell/Samsung SSD), etc). Tags may well be used for a wide variety of purposes, and non-administrative users being barred from assigning a tag to a system it "owns" makes either tags, or the non-administrative facility useless in our context.

Similarly, for setting storage ... having allocated a machine to "PSB" why should PSB not be able to configure the desired storage?

This is not an exhaustive list .. but it seems to us that non-administrative roles are overly constrained. I suppose for compatibility purposes this would mean either a recasting (a generic, perhaps bitflag controlled (this feature on, that feature off) with the default non-administrative roles to be locked down as they are now, or a third kind of role). To a first approximation what we expected/require is that the non-administrative roles can't change MAAS itself, nor should they be able to see or manipulate systems that are allocated to other users. No other limitations on what these users can do ...

With the current setup, this means all users are administrative ... which means there are no protections against one user/role taking over systems that are in use by others (which is unfortunate, to say the least).

Tags: Edit Tag help

Billy Olsen (billy-olsen) on 2020-08-03

tags:

added: sts

Dougal Matthews (d0ugal) on 2020-10-12

Changed in maas:
status:	New → Triaged
importance:	Undecided → Wishlist

Report a bug

This report contains Public information Edit

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers