Octopus accounts and certificates - custom role who can use them

Piotr · 4 October 2021 13:51

Hello,

We facing with security issue on Octopus. We restricted roles CertificateView and AccountView to limited group of people. This was done, because We have some very important secrets, that must be only used by defined group (view role allow to assign this object in variable view). If developer go to Variable view of project, see error and also in Diagnostic view We see error about lack of privileges.

In our opinion there are should be possibility to see this accounts and certificates, but only defined group of people can assign It with project in variable view. For our research this cannot be made now. Could you help us with this issue ?

Best regards
Piotr

donny.bell · 4 October 2021 14:34

Hi Piotr,

Thank you for contacting Octopus Support.

For context, could you show me a screenshot of what your affected users are seeing on the variable page?

I look forward to hearing back from you.

Best Regards,
Donny

Piotr · 4 October 2021 15:49

Hello @donny.bell,
thanks for quick response.

Developers see this hint:

In our opinion they shouldn’t see error, can see the account or certificate - but cannot use them in different project.

donny.bell · 4 October 2021 16:01

Hi @Piotr,

Thank you for getting back to me.

Just to confirm, the users that are seeing this message are unable to see any of the Project Variables on this page, correct?

Can you tell me what version of Octopus Server you are currently using? I would like to reproduce this in a test environment to confirm this behavior.

Let me know at your earliest convenience.

Best Regards,
Donny

Piotr · 4 October 2021 16:11

@donny.bell

Developers can see others variables, but this error is little confusing.
Currently We using this version: Version 2021.2 (Build 7580)

donny.bell · 4 October 2021 17:44

Hi @Piotr,

Thank you for the quick response.

I am currently attempting to reproduce this behavior in my test environment.

I hope to be done shortly.

Best Regards,
Donny

donny.bell · 4 October 2021 20:55

Hi @Piotr,

Thank you for your patience. I was able to reproduce this in my test environment.

Despite the warning message, it does appear that users in this scenario would be able to adjust the Variable name and Scoping so long as they have Variable Editing permissions. However, without CertificateView, they will not be able to change the assigned Certificate.

Is the goal to have the VariableEdit users be able to see the names of the Certificates without having CertificateView assigned to the Team’s Role? I apologize if I’m quite understanding. Please feel free to provide more details about your usage scenario.

I look forward to hearing back from you.

Best Regards,
Donny

Piotr · 5 October 2021 11:00

Hello @donny.bell,
thanks for your support! I try to provide more details.

However, without CertificateView, they will not be able to change the assigned Certificate.

You have right, but then error is rising. Our teams have Variable Editing permission, without Certificate View and Account View, because this permission allow them to edit assigned certificate or account. Our main goal is reduce false positive errors, reported in Diagnostic view and for project view - where developers report, that something wrong occurred, when they visiting Variables page. In our opinion permission View shouldn’t be identified as Use permission.
If you have any questions, fell free to ask.

Best
Piotr

donny.bell · 5 October 2021 15:18

Hi @Piotr,

Thank you for getting back to me. I think I now fully understand this issue and how it is affecting you.

I have created a GitHub issue that you may follow here:

github.com/OctopusDeploy/Issues

"Missing Permission" warnings for CertificateView and AccountView when viewing Project Variables page

opened 03:07PM - 05 Oct 21 UTC

donnybell

kind/bug feature/variables state/triage team/fire-and-motion

### Team - [X] I've assigned a team label to this issue ### Severity No…t blocking ### Version Test in 2021.1.7665 and 2021.2.2750 ### Latest Version I could reproduce the problem in the latest build ### What happened? When a User does not have CertificateView and/or AccountView permissions, navigating to Project Variables or a Library Variable Set will generate an error message at the top of the page and warnings in the Server Logs. This should be handled more elegantly, especially in scenarios that are not specifically utilizing certificates or accounts. Possibly related to: https://github.com/OctopusDeploy/Issues/issues/4372 Library Variable Set error message: ![image](https://user-images.githubusercontent.com/63249187/136049108-99510ee6-2ac8-4496-bf3e-cf33a3285c02.png) Corresponding Octopus Server logs warnings: ![image](https://user-images.githubusercontent.com/63249187/136049257-0b5ac59d-b8d5-478a-af29-96f6fabc5ca6.png) ### Reproduction 1.) Create a User with the following permissions: ![image](https://user-images.githubusercontent.com/63249187/136049547-187bb20d-a117-4887-ae48-c917413a7063.png) 2.) Navigate to Project Variables or a Library Variable Set ### Error and Stacktrace _No response_ ### More Information _No response_ ### Workaround The errors on screen and the warnings in the logs are safe to ignore, but could potentially generate quite a bit of noise in the logs depending on the usage scenario.

If you have any additional questions, please let me know.

Best Regards,
Donny

Piotr · 6 October 2021 08:39

Hello @donny.bell,
I’m very glad to see this issue.

Please also take into consideration by engineering team to split current View roles for Certificates and Accounts. View permission shouldn’t be identifies as Use role also. More gradual permission allow to fulfills more restrict polices in companies. For example there are should be permission to list and see this objects and separated role - Use role - that allow to use them in context of Variable Set.

Best regards,
Piotr

donny.bell · 6 October 2021 13:29

Hi @Piotr,

Thank you for getting back to me.

I understand the use case for creating a new tier of permission. For this, I would recommend posting this feature request to our UserVoice forums.

If there is anything else I can assist with, please let me know.

Best Regards,
Donny

system · 6 November 2021 13:30

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.