Issues icon indicating copy to clipboard operation
Issues copied to clipboard

Published 20 hours ago verified publisher icon OctopusDeploy

Newly created users via Active Directory auth may not inherit Octopus permissions correctly based on their Octopus team membership

Open donnybell opened this issue 2 years ago • 0 comments

Team

  • [X] I've assigned a team label to this issue

Severity

No response

Version

2022.3.10723

Latest Version

No response

What happened?

Newly created users via Active Directory auth may not inherit Octopus permissions correctly based on their Octopus team membership. It may also be possible for this to occur with existing users. However, I've not been able to reproduce this reliably.

Reproduction

  • Set up a simple AD auth via Ntlm. Include an OU if you wish.
  • Add an Active Directory Group to the Octopus Administrators Team
  • Create a user in AD and make them a member of the Active Directory Group
  • Log in with the new user in Octopus Deploy
  • You should see a permissions error at the top

Error and Stacktrace

INFO  "You do not have permission to perform this action. Please contact your Octopus administrator. Missing permission: AdministerSystem"
Octopus.Core.Security.Permissions.UserDoesNotHaveAccessException: You do not have permission to perform this action. Please contact your Octopus administrator. Missing permission: AdministerSystem
   at Octopus.Server.Web.Infrastructure.OctopusQueryExecutor.AssertCanViewDocumentTypeInAnyPartition[TDocument,TKey]() in ./source/Octopus.Server/Web/Infrastructure/OctopusQueryExecutor.cs:line 425
   at Octopus.Server.Web.Infrastructure.OctopusQueryExecutor.Load[TDocument,TKey](TKey id, CancellationToken cancellationToken) in ./source/Octopus.Server/Web/Infrastructure/OctopusQueryExecutor.cs:line 215
   at Octopus.Core.Persistence.Database.ProjectPathDecorators.ProjectPathQueryExecutorDecorator.Load[TDocument,TKey](TKey id, CancellationToken cancellationToken) in ./source/Octopus.Core/Persistence/Database/ProjectPathDecorators/ProjectPathQueryExecutorDecorator.cs:line 39
   at Octopus.Core.Persistence.Database.SlugDecorators.SlugQueryExecutorDecorator.Load[TDocument,TKey](TKey id, CancellationToken cancellationToken) in ./source/Octopus.Core/Persistence/Database/SlugDecorators/SlugQueryExecutorDecorator.cs:line 41
   at Octopus.Core.Persistence.Database.DatabaseDocumentStore`2.Get(TKey id, CancellationToken cancellationToken) in ./source/Octopus.Core/Persistence/Database/DatabaseDocumentStore.cs:line 64
   at Octopus.Core.Persistence.Git.SlugDocumentStoreDecorator`2.Get(TKey id, CancellationToken cancellationToken) in ./source/Octopus.Core/Persistence/Git/SlugDocumentStoreDecorator.cs:line 83
   at Octopus.Core.Persistence.Database.FullTableCacheDocumentStoreDecorator`2.Get(TKey id, CancellationToken cancellationToken) in ./source/Octopus.Core/Persistence/Database/FullTableCacheDocumentStoreDecorator.cs:line 60
   at Octopus.Core.Persistence.Database.ProjectPathDecorators.ProjectPathDocumentStoreDecorator`2.Get(TKey id, CancellationToken cancellationToken) in ./source/Octopus.Core/Persistence/Database/ProjectPathDecorators/ProjectPathDocumentStoreDecorator.cs:line 33
   at Octopus.Core.Persistence.EntityTracking.EntityTracker.GetOrTrack[TDocument,TKey](TKey id, Func`3 getDocument, CancellationToken cancellationToken) in ./source/Octopus.Core/Persistence/EntityTracking/EntityTracker.cs:line 70
   at Octopus.Core.Persistence.EntityTracking.EntityTrackingDocumentStoreDecorator`2.Get(TKey id, CancellationToken cancellationToken) in ./source/Octopus.Core/Persistence/EntityTracking/EntityTrackingDocumentStoreDecorator.cs:line 47
   at Octopus.Core.Persistence.Auditing.AuditingDocumentStoreDecorator`2.Get(TKey id, CancellationToken cancellationToken) in ./source/Octopus.Core/Persistence/Auditing/AuditingDocumentStoreDecorator.cs:line 64
   at Octopus.Core.Persistence.Database.Deletion.DeleteRelatedDocumentsDocumentStoreDecorator`2.Get(TKey id, CancellationToken cancellationToken) in ./source/Octopus.Core/Persistence/Database/Deletion/DeleteRelatedDocumentsDocumentStoreDecorator.cs:line 35
   at Octopus.Core.Persistence.Database.Deletion.VetoDocumentStoreDecorator`2.Get(TKey id, CancellationToken cancellationToken) in ./source/Octopus.Core/Persistence/Database/Deletion/VetoDocumentStoreDecorator.cs:line 34
   at Octopus.Core.Persistence.Database.AccessCheckingDocumentStoreDecorator`2.Get(TKey id, CancellationToken cancellationToken) in ./source/Octopus.Core/Persistence/Database/AccessCheckingDocumentStoreDecorator.cs:line 42
   at Octopus.Core.Persistence.DocumentStore`2.Get(TKey id, CancellationToken cancellationToken) in ./source/Octopus.Core/Persistence/DocumentStore.cs:line 76
   at Octopus.Core.Features.Configuration.Telemetry.GetTelemetryConfigurationRequestHandler.Handle(GetTelemetryConfigurationRequest request, CancellationToken cancellationToken) in ./source/Octopus.Core/Features/Configuration/Telemetry/GetTelemetryConfigurationRequestHandler.cs:line 26
   at Octopus.Core.Infrastructure.Mediator.AutofacMediator.Request[TRequest,TResponse](IRequest`2 request, CancellationToken cancellationToken) in ./source/Octopus.Core/Infrastructure/Mediator/AutofacMediator.cs:line 38
   at Octopus.Core.Infrastructure.Mediator.Decorators.SystemComponentModelValidationDecorator.Request[TRequest,TResponse](IRequest`2 request, CancellationToken cancellationToken) in ./source/Octopus.Core/Infrastructure/Mediator/Decorators/SystemComponentModelValidationDecorator.cs:line 44
   at Octopus.Core.Infrastructure.Mediator.Decorators.FluentValidationsDecorator.Request[TRequest,TResponse](IRequest`2 request, CancellationToken cancellationToken) in ./source/Octopus.Core/Infrastructure/Mediator/Decorators/FluentValidationsDecorator.cs:line 66
   at Octopus.Core.Infrastructure.Mediator.Decorators.MessageBusSiphoningDecorator.Request[TRequest,TResponse](IRequest`2 request, CancellationToken cancellationToken) in ./source/Octopus.Core/Infrastructure/Mediator/Decorators/MessageBusSiphoningDecorator.cs:line 38
   at Octopus.Server.Web.Controllers.Configuration.Telemetry.GetTelemetryConfigurationController.GetTelemetryConfiguration(GetTelemetryConfigurationRequest request, CancellationToken cancellationToken) in ./source/Octopus.Server/Web/Controllers/Configuration/Telemetry/GetTelemetryConfigurationController.cs:line 28
   at lambda_method8374(Closure , Object )
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Logged|12_1(ControllerActionInvoker invoker)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Logged|17_1(ResourceInvoker invoker)
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
   at Octopus.Server.Web.Infrastructure.Authentication.AuthorizationMiddlewareResultHandler.HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult) in ./source/Octopus.Server/Web/Infrastructure/Authentication/AuthorizationMiddlewareResultHandler.cs:line 52
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Octopus.Server.Web.UnitOfWorkMiddleware.InvokeAsync(HttpContext httpContext, IUnitOfWork unitOfWork) in ./source/Octopus.Server/Web/UnitOfWorkMiddleware.cs:line 47
   at Octopus.Server.Web.UnitOfWorkMiddleware.InvokeAsync(HttpContext httpContext, IUnitOfWork unitOfWork) in ./source/Octopus.Server/Web/UnitOfWorkMiddleware.cs:line 47
   at Octopus.Server.Web.Middleware.OctopusClientOldVersionWarningMiddleware.InvokeAsync(HttpContext context, IAutomationContext automationContext) in ./source/Octopus.Server/Web/Middleware/OctopusClientOldVersionWarningMiddleware.cs:line 53
   at Octopus.Server.Web.Middleware.DynamicContentHeadersMiddleware.InvokeAsync(HttpContext context) in ./source/Octopus.Server/Web/Middleware/DynamicContentHeadersMiddleware.cs:line 49
   at Octopus.Server.Web.Middleware.PrivateSpaceToggleMiddleware.InvokeAsync(HttpContext context) in ./source/Octopus.Server/Web/Middleware/PrivateSpaceToggleMiddleware.cs:line 56
   at Octopus.Server.Web.Middleware.MaintenanceModeMiddleware.InvokeAsync(HttpContext context) in ./source/Octopus.Server/Web/Middleware/MaintenanceModeMiddleware.cs:line 61
   at Octopus.Server.Web.Middleware.OctopusAuthenticationMiddleware.InvokeAsync(HttpContext context, IUserAuthenticator userAuthenticator, IAuthCookieService authCookieService, IWebAuthCache authCache, ILogger logger) in ./source/Octopus.Server/Web/Middleware/OctopusAuthenticationMiddleware.cs:line 57
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Octopus.Server.Web.Middleware.LegacyRequestLoggerMiddleware.InvokeAsync(HttpContext context) in ./source/Octopus.Server/Web/Middleware/LegacyRequestLoggerMiddleware.cs:line 42
   at Octopus.Server.Web.Middleware.TelemetryMiddleware.InvokeAsync(HttpContext context) in ./source/Octopus.Server/Web/Middleware/TelemetryMiddleware.cs:line 76
   at Octopus.Server.Web.Middleware.ErrorHandlingMiddleware.InvokeAsync(HttpContext context) in ./source/Octopus.Server/Web/Middleware/ErrorHandlingMiddleware.cs:line 98

More Information

Default Space does not show up for an affected user: image

In this case, the Team assignment does show up (sometimes it doesn't). However, the permissions issue remains: image

Workaround

For broken users issue in 2022.3.X:

  • If a Team assignment is not showing up, try running the Sync External Security Groups task
  • If a Team assignment is present, but permissions are still messed up, reboot the Octopus Server service via Octopus Manager after a fresh Sync External Security Groups task run

How to find a Sync External Security Groups task: image

How to re-run the task on command: image

How to reboot the Octopus Server service: image

donnybell avatar Nov 22 '22 14:11 donnybell