Portainer: LDAP users cannot access endpoint data
Bug description
LDAP imported users (from Aactive Directory), cannot see Stacks, Services, Containers, Volumes or Networks. The only section that works is Images. The users are given access to endpoint directly using manage access option. Either giving access to user directly or via imported LDAP group doesn't work.
Expected behavior
Imported LDAP users should be able to access all the resources that are part of the endpoint the administrator gave them access to.
Steps to reproduce the issue:
Steps to reproduce the behavior:
- Deploy portainer using official deployment info (Swarm mode using composer)
- Configure LDAP authentication (either simple bind, TLS or StartTLS)
- Go to default "Primary" endpoint and using manage access give access to the user
- login in portainer with the user (in home section he is able to see all the info about the primary endpoint, number of: stacks, services, containers, volumes and images)
- click on the primary endpoint on the home page.
- The user see can see the number of images inside swarm, but 0 of any other resource (stacks, containers, volumes, services or networks). No error shown in container log.
Technical details:
- Portainer version: 1.20.2
- Docker version (managed by Portainer): 18.09.03
- Platform (windows/linux): linux
- Command used to start Portainer (
docker run -p 9000:9000 portainer/portainer): docker stack deploy --compose-file=portainer-agent-stack.yml portainer (default composer file on deployment instructions) - Browser: Chrome 73.0.3683.86
photonn
All 3 comments
Hi there,
IF you login as an admin, and look at each of the pages (stacks, services, containers, volumes, networks, configs, secrets), take a look at the column “ownership”. If that says “administrators” then standard users will NOT be able to see the resource.
You can elevate your LDAP user to an admin (click on their user account in Portainer and mark them an admin), or change the access control to “public” so all users can see the resources.
ncresswell
on 3 Apr 2019
This is not a bug and it is actually the normal behavior of the Portainer application.
All of the resources created outside of Portainer will be restricted to administrator users only, this is also the default policy when creating a resource inside Portainer.
When using LDAP/OAuth authentication, newly created users will be assigned the regular user role on creation and thus will not be able to access any existing resources that are restricted to administrators.
As Neil stated, you'll need to assign the administrator role to each of these users.
We have an evolution request to allow a user to change the default ownership available in the app:
https://github.com/portainer/portainer/issues/685
And you can also expect a more robust approach from our next extension that is going to introduce advanced role based access control management.
deviantony
on 3 Apr 2019
Thank guys! It was a little confusing to me at first, but this explains everything.
photonn
on 3 Apr 2019
Related issues
cbrherms
·
3Comments
yexingqi
·
3Comments
himred
·
3Comments
youlu-cn
·
3Comments
davask
·
3Comments
Most helpful comment
This is not a bug and it is actually the normal behavior of the Portainer application.
All of the resources created outside of Portainer will be restricted to administrator users only, this is also the default policy when creating a resource inside Portainer.
When using LDAP/OAuth authentication, newly created users will be assigned the regular user role on creation and thus will not be able to access any existing resources that are restricted to administrators.
As Neil stated, you'll need to assign the administrator role to each of these users.
We have an evolution request to allow a user to change the default ownership available in the app:
https://github.com/portainer/portainer/issues/685
And you can also expect a more robust approach from our next extension that is going to introduce advanced role based access control management.