security_monkey
security_monkey copied to clipboard
Netflix
Cannot delete SM user with Justifications.
Hi
I've created a test user that i can seem to delete with the GUI interface, and there doesn't seem to be a CLI monkey command to do it.
The delete button on the GUI interface just doesn't do anything apparently, tried on multiple browser to rule that out.
Are you trying to delete the user you're logged in as? I get this if I try to do that, but if I create a second account using the terminal, then I can delete it
No, I am using a different one. Both are admin if that information could be valuable.
yes actually :
==> /var/log/security_monkey/securitymonkey.log <==
2017-08-01 21:29:23,826 ERROR: Internal Error [in /usr/local/src/security_monkey/venv/local/lib/python2.7/site-packages/Flask_RESTful-0.3.3-py2.7.egg/flask_restful/__init__.py:299]
Traceback (most recent call last):
File "/usr/local/src/security_monkey/venv/local/lib/python2.7/site-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1475, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/src/security_monkey/venv/local/lib/python2.7/site-packages/Flask-0.10.1-py2.7.egg/flask/app.py", line 1461, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/usr/local/src/security_monkey/venv/local/lib/python2.7/site-packages/Flask_RESTful-0.3.3-py2.7.egg/flask_restful/__init__.py", line 462, in wrapper
resp = resource(*args, **kwargs)
File "/usr/local/src/security_monkey/venv/local/lib/python2.7/site-packages/Flask-0.10.1-py2.7.egg/flask/views.py", line 84, in view
return self.dispatch_request(*args, **kwargs)
File "/usr/local/src/security_monkey/venv/local/lib/python2.7/site-packages/Flask_RESTful-0.3.3-py2.7.egg/flask_restful/__init__.py", line 572, in dispatch_request
resp = meth(*args, **kwargs)
File "/usr/local/src/security_monkey/security_monkey/views/users.py", line 151, in delete
db.session.commit()
File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/scoping.py", line 149, in do
return getattr(self.registry(), name)(*args, **kwargs)
File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/session.py", line 765, in commit
self.transaction.commit()
File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/session.py", line 370, in commit
self._prepare_impl()
File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/session.py", line 350, in _prepare_impl
self.session.flush()
File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/session.py", line 1879, in flush
self._flush(objects)
File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/session.py", line 1997, in _flush
transaction.rollback(_capture_exception=True)
File "build/bdist.linux-x86_64/egg/sqlalchemy/util/langhelpers.py", line 57, in __exit__
compat.reraise(exc_type, exc_value, exc_tb)
File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/session.py", line 1961, in _flush
flush_context.execute()
File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/unitofwork.py", line 370, in execute
rec.execute(self)
File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/unitofwork.py", line 551, in execute
uow
File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/persistence.py", line 116, in delete_obj
cached_connections, mapper, table, delete)
File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/persistence.py", line 705, in _emit_delete_statements
connection.execute(statement, del_objects)
File "build/bdist.linux-x86_64/egg/sqlalchemy/engine/base.py", line 717, in execute
return meth(self, multiparams, params)
File "build/bdist.linux-x86_64/egg/sqlalchemy/sql/elements.py", line 317, in _execute_on_connection
return connection._execute_clauseelement(self, multiparams, params)
File "build/bdist.linux-x86_64/egg/sqlalchemy/engine/base.py", line 814, in _execute_clauseelement
compiled_sql, distilled_params
File "build/bdist.linux-x86_64/egg/sqlalchemy/engine/base.py", line 927, in _execute_context
context)
File "build/bdist.linux-x86_64/egg/sqlalchemy/engine/base.py", line 1076, in _handle_dbapi_exception
exc_info
File "build/bdist.linux-x86_64/egg/sqlalchemy/util/compat.py", line 185, in raise_from_cause
reraise(type(exception), exception, tb=exc_tb)
File "build/bdist.linux-x86_64/egg/sqlalchemy/engine/base.py", line 920, in _execute_context
context)
File "build/bdist.linux-x86_64/egg/sqlalchemy/engine/default.py", line 425, in do_execute
cursor.execute(statement, parameters)
IntegrityError: (IntegrityError) update or delete on table "user" violates foreign key constraint "itemaudit_justified_user_id_fkey" on table "itemaudit"
DETAIL: Key (id)=(1) is still referenced from table "itemaudit".
'DELETE FROM "user" WHERE "user".id = %(id)s' {'id': 1}
==> /var/log/security_monkey/security_monkey.access.log <==
202.46.176.66 - - [01/Aug/2017:21:29:23 +0000] "DELETE /api/1/users/1 HTTP/1.1" 500 51 "https://securitymonkey.someurl.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0"
Good find.
Looks like the User model does not have a directive to cascade deletes to the tables for which it has relationships. In this case, it appears the user has justified an issue, so the DB doesn't know what to do about the dangling justification.
I'll file this as a bug.
https://github.com/Netflix/security_monkey/blob/develop/security_monkey/datastore.py#L160