Hi all,
While the subject might sound contradictory, I'm curious what you think about opening up the DBA code to allow non-admin users to access it and perform actions for which they have permissions?
I currently maintain and run a fork of the DBA web app at work to make this possible, but I'd love to have the behavior built into BaseX if possible. You can view the changes I've made against BaseX 10.7 here: https://github.com/mblink/basex-webapp/compare/upstream-webapp...webapp-10.7
If you're open to this, I'd be happy to open a pull request with my changes!
Thanks, Matt
Hi Matt,
Providing a non-admin version of the DBA is certainly a good idea. We mostly didn’t have time and resources to clarify what will be the implication for the particular views.
I’ll be happy to have a closer look at your fork next week.
Best, Christian
Matthew Dziuban mrdziuban@gmail.com schrieb am Mo., 21. Aug. 2023, 19:34:
Hi all,
While the subject might sound contradictory, I'm curious what you think about opening up the DBA code to allow non-admin users to access it and perform actions for which they have permissions?
I currently maintain and run a fork of the DBA web app at work to make this possible, but I'd love to have the behavior built into BaseX if possible. You can view the changes I've made against BaseX 10.7 here: https://github.com/mblink/basex-webapp/compare/upstream-webapp...webapp-10.7
If you're open to this, I'd be happy to open a pull request with my changes!
Thanks, Matt
Sounds good, thanks Christian! Let me know if I can provide any more details that would be helpful.
Matt
On Tue, Aug 22, 2023 at 3:25 AM Christian Grün christian.gruen@gmail.com wrote:
Hi Matt,
Providing a non-admin version of the DBA is certainly a good idea. We mostly didn’t have time and resources to clarify what will be the implication for the particular views.
I’ll be happy to have a closer look at your fork next week.
Best, Christian
Matthew Dziuban mrdziuban@gmail.com schrieb am Mo., 21. Aug. 2023, 19:34:
Hi all,
While the subject might sound contradictory, I'm curious what you think about opening up the DBA code to allow non-admin users to access it and perform actions for which they have permissions?
I currently maintain and run a fork of the DBA web app at work to make this possible, but I'd love to have the behavior built into BaseX if possible. You can view the changes I've made against BaseX 10.7 here: https://github.com/mblink/basex-webapp/compare/upstream-webapp...webapp-10.7
If you're open to this, I'd be happy to open a pull request with my changes!
Thanks, Matt
Hi Matthew,
Thanks for providing me access to your fork. I’ve done some quick tests, and I noticed the following:
• The Database panel should only list those databases that a particular user has access to. • It must not be allowed to run queries like admin:logs() unless you have 'admin' permissions. More generally, the permissions used for running queries must not be more powerful than those of the current user. • The Jobs panel must be limited to Admin users; at least that’s how our current permission model is designed (the current solution could possibly be enhanced, such that users with fewer permissions could see their own jobs).
You can either try the BaseX client to find out what users with fewer permissions are allowed to do, or you can look into the code [1].
Hope this helps; feel free to ask for more details, Christian
[1] https://github.com/BaseXdb/basex/blob/main/basex-core/src/main/java/org/base...
On Mon, Aug 21, 2023 at 7:34 PM Matthew Dziuban mrdziuban@gmail.com wrote:
Hi all,
While the subject might sound contradictory, I'm curious what you think about opening up the DBA code to allow non-admin users to access it and perform actions for which they have permissions?
I currently maintain and run a fork of the DBA web app at work to make this possible, but I'd love to have the behavior built into BaseX if possible. You can view the changes I've made against BaseX 10.7 here: https://github.com/mblink/basex-webapp/compare/upstream-webapp...webapp-10.7
If you're open to this, I'd be happy to open a pull request with my changes!
Thanks, Matt
Hi Christian,
Thanks for the feedback! If I'm reading the code correctly, my understanding was that the permissions you mentioned should already be enforced:
- admin:logs() specifies Perm::ADMIN [1] - db:list() calls ctx.listDBs() which says it should return the databases for which the current user has read access [2] - job:list-details() specifies Perm::ADMIN [3]
I can update my fork to disallow access to the Logs and Jobs panels, but is it an issue in the java code that the relevant permissions aren't being enforced?
Thanks again, Matt
[1] https://github.com/BaseXdb/basex/blob/10.7/basex-core/src/main/java/org/base... [2] https://github.com/BaseXdb/basex/blob/10.7/basex-core/src/main/java/org/base... [3] https://github.com/BaseXdb/basex/blob/10.7/basex-core/src/main/java/org/base...
On Wed, Aug 30, 2023 at 7:41 AM Christian Grün christian.gruen@gmail.com wrote:
Hi Matthew,
Thanks for providing me access to your fork. I’ve done some quick tests, and I noticed the following:
• The Database panel should only list those databases that a particular user has access to. • It must not be allowed to run queries like admin:logs() unless you have 'admin' permissions. More generally, the permissions used for running queries must not be more powerful than those of the current user. • The Jobs panel must be limited to Admin users; at least that’s how our current permission model is designed (the current solution could possibly be enhanced, such that users with fewer permissions could see their own jobs).
You can either try the BaseX client to find out what users with fewer permissions are allowed to do, or you can look into the code [1].
Hope this helps; feel free to ask for more details, Christian
[1] https://github.com/BaseXdb/basex/blob/main/basex-core/src/main/java/org/base...
On Mon, Aug 21, 2023 at 7:34 PM Matthew Dziuban mrdziuban@gmail.com wrote:
Hi all,
While the subject might sound contradictory, I'm curious what you think about opening up the DBA code to allow non-admin users to access it and perform actions for which they have permissions?
I currently maintain and run a fork of the DBA web app at work to make this possible, but I'd love to have the behavior built into BaseX if possible. You can view the changes I've made against BaseX 10.7 here: https://github.com/mblink/basex-webapp/compare/upstream-webapp...webapp-10.7
If you're open to this, I'd be happy to open a pull request with my changes!
Thanks, Matt
Hi Matthew,
The challenge you’ll face is that a RESTXQ application always works with ADMIN permissions (unless you change that in the web.xml configuration). If you allow logins for users with lower permissions in the DBA, you’ll have to simulate this permission level, i.e., decide in the DBA code which operation will be allowed for the current user.
I could be tricky to that for e.g. the Database Panel; xquery:eval could possibly be used instead of direct db:list (etc) calls, and the permission of the current user could be supplied as an argument [1]. The easier solution would certainly be to suppress the Database Panel for all users that have no 'create' or 'admin' permissions.
For the Query Panel, it’s more obvious: You may have seen that the permission level can already be controlled via the settings. If a user has fewer permissions, this setting can be combined with the permission of the current user (the lowest value should be applied).
For the Jobs Panel, it’s easy again: It should only be visible for admin users.
Cheers, Christian
[1] https://docs.basex.org/wiki/XQuery_Module#xquery:eval
On Wed, Aug 30, 2023 at 5:28 PM Matthew Dziuban mrdziuban@gmail.com wrote:
Hi Christian,
Thanks for the feedback! If I'm reading the code correctly, my understanding was that the permissions you mentioned should already be enforced:
- admin:logs() specifies Perm::ADMIN [1]
- db:list() calls ctx.listDBs() which says it should return the
databases for which the current user has read access [2]
- job:list-details() specifies Perm::ADMIN [3]
I can update my fork to disallow access to the Logs and Jobs panels, but is it an issue in the java code that the relevant permissions aren't being enforced?
Thanks again, Matt
[1] https://github.com/BaseXdb/basex/blob/10.7/basex-core/src/main/java/org/base... [2] https://github.com/BaseXdb/basex/blob/10.7/basex-core/src/main/java/org/base... [3] https://github.com/BaseXdb/basex/blob/10.7/basex-core/src/main/java/org/base...
On Wed, Aug 30, 2023 at 7:41 AM Christian Grün christian.gruen@gmail.com wrote:
Hi Matthew,
Thanks for providing me access to your fork. I’ve done some quick tests, and I noticed the following:
• The Database panel should only list those databases that a particular user has access to. • It must not be allowed to run queries like admin:logs() unless you have 'admin' permissions. More generally, the permissions used for running queries must not be more powerful than those of the current user. • The Jobs panel must be limited to Admin users; at least that’s how our current permission model is designed (the current solution could possibly be enhanced, such that users with fewer permissions could see their own jobs).
You can either try the BaseX client to find out what users with fewer permissions are allowed to do, or you can look into the code [1].
Hope this helps; feel free to ask for more details, Christian
[1] https://github.com/BaseXdb/basex/blob/main/basex-core/src/main/java/org/base...
On Mon, Aug 21, 2023 at 7:34 PM Matthew Dziuban mrdziuban@gmail.com wrote:
Hi all,
While the subject might sound contradictory, I'm curious what you think about opening up the DBA code to allow non-admin users to access it and perform actions for which they have permissions?
I currently maintain and run a fork of the DBA web app at work to make this possible, but I'd love to have the behavior built into BaseX if possible. You can view the changes I've made against BaseX 10.7 here: https://github.com/mblink/basex-webapp/compare/upstream-webapp...webapp-10.7
If you're open to this, I'd be happy to open a pull request with my changes!
Thanks, Matt
-- Matthew R. Dziuban mattdziuban.com 703-973-6717 mrdziuban@gmail.com
basex-talk@mailman.uni-konstanz.de
-
Christian Grün -
Matthew Dziuban