JWT token auth does not check for everyone@external

Bug #2033261 reported by @les
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Canonical Juju
Fix Committed
Medium
Yang Kelvin Liu

Bug Description

In apiserver/authentication/jwt/jwt.go when checking if the user is allowed, juju does not check if everybody is allowed to perform the action. The following diff seems to fix the situation:

```
diff --git a/apiserver/authentication/jwt/jwt.go b/apiserver/authentication/jwt/jwt.go
index ce8062f05a..58c902395d 100644
--- a/apiserver/authentication/jwt/jwt.go
+++ b/apiserver/authentication/jwt/jwt.go
@@ -118,8 +118,8 @@ func (p *PermissionDelegator) SubjectPermissions(
        }
        // We need to make very sure that the entity the request pertains to
        // is the same entity this function was seeded with.
- if tokenEntity.Tag().String() != e.Tag().String() {
- return permission.NoAccess, fmt.Errorf("%w to use token permissions for one entity on another", errors.NotValid)
+ if tokenEntity.Tag().String() != e.Tag().String() || e.Tag().Id() == "everyone@external" {
+ return permission.NoAccess, fmt.Errorf("%w to use token permissions for one entity on another: %v %v", errors.NotValid, tokenEntity.Tag().String(>
        }
        return PermissionFromToken(p.Token, s)
}
```

Changed in juju:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Yang Kelvin Liu (kelvin.liu) wrote :
Changed in juju:
status: Triaged → In Progress
assignee: nobody → Yang Kelvin Liu (kelvin.liu)
milestone: none → 3.2.4
milestone: 3.2.4 → 3.3-beta2
milestone: 3.3-beta2 → 3.2.4
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.