<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:19:31 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-2280] tenant superuser granted excessive okapi permissions</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-2280</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;Tenant super user is granted excessive Okapi permissions (okapi.*) on FOLIO instances built in the hosted CI environment and FOLIO vagrant-based images.   For example,  it is currently possible for a tenant super user, like diku_admin, to create new tenants via the Okapi /tenants endpoint. &lt;/p&gt;

&lt;p&gt;Before removing excessive permission:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;allow time to update folio-api-tests repo&lt;/li&gt;
	&lt;li&gt;make sure ui-regression tests are not impacted by this change&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="81435">FOLIO-2280</key>
            <summary>tenant superuser granted excessive okapi permissions</summary>
                <type id="10003" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium">Task</type>
                                            <priority id="10001" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p2.svg">P2</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="5cd423bebc70090d6ce241b1">Ian Hardy</assignee>
                                                                <reporter accountid="5f9abc1eb45b2e007453f423">John Malconian</reporter>
                                    <labels>
                            <label>security</label>
                    </labels>
                <created>Tue, 24 Sep 2019 20:28:25 +0000</created>
                <updated>Tue, 13 Jul 2021 08:52:41 +0000</updated>
                            <resolved>Tue, 10 Mar 2020 15:01:21 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>7</watches>
                                                                <comments>
                                                            <comment id="193506" author="5f9abc1eb45b2e007453f423" created="Tue, 24 Sep 2019 20:30:15 +0000"  >&lt;p&gt;example:&lt;/p&gt;

&lt;div class=&quot;preformatted panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;preformattedContent panelContent&quot;&gt;
&lt;pre&gt;
login as diku_admin
curl https://folio-testing-okapi.aws.indexdata.com:443/authn/login -H &apos;Content-Type: application/json&apos; -H &apos;X-Okapi-Tenant: diku&apos; --data-binary &apos;{&quot;username&quot;:&quot;diku_admin&quot;,&quot;password&quot;:&quot;admin&quot;}&apos; -H &apos;Cache-control: no-cache&apos; -v -w &apos;\n&apos; -o /dev/null

+ TOKEN=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ........

Without the token:
$ curl $OKAPI/_/proxy/tenants -H &quot;Content-type: application/json&quot; -XPOST -d &apos;{ &quot;id&quot;: &quot;testing&quot;, &quot;name&quot;: &quot;POC tenant&quot; }&apos;
Access requires permission: okapi.proxy.tenants.post 

With the token
$ curl $OKAPI/_/proxy/tenants -H &quot;Content-type: application/json&quot; -H &quot;X-Okapi-Token: $TOKEN&quot; -XPOST -d &apos;{ &quot;id&quot;: &quot;testing&quot;, &quot;name&quot;: &quot;POC tenant&quot; }&apos;
{
  &quot;id&quot; : &quot;testing&quot;,
  &quot;name&quot; : &quot;POC tenant&quot;
}

$ curl $OKAPI/_/proxy/tenants
[ {
  &quot;id&quot; : &quot;diku&quot;,
  &quot;name&quot; : &quot;Datalogisk Institut&quot;,
  &quot;description&quot; : &quot;Danish Library Technology Institute&quot;
}, {
  &quot;id&quot; : &quot;invoicing_api_tests&quot;,
  &quot;name&quot; : &quot;Test invoices tenant&quot;,
  &quot;description&quot; : &quot;Tenant for test purpose&quot;
}, {
  &quot;id&quot; : &quot;supertenant&quot;,
  &quot;name&quot; : &quot;supertenant&quot;,
  &quot;description&quot; : &quot;Okapi built-in super tenant&quot;
}, {
  &quot;id&quot; : &quot;testing&quot;,
  &quot;name&quot; : &quot;POC tenant&quot;
} ]

&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
</comment>
                                                            <comment id="193511" author="5f9abc1eb45b2e007453f423" created="Tue, 24 Sep 2019 20:33:22 +0000"  >&lt;p&gt;Looks tenant admins currently get the &apos;okapi.all&apos; permission.   Refine this if possible. &lt;/p&gt;</comment>
                                                            <comment id="193516" author="5cd423bebc70090d6ce241b1" created="Wed, 9 Oct 2019 20:02:38 +0000"  >&lt;p&gt;There are some API tests run by hand in &lt;a href=&quot;https://github.com/folio-org/folio-api-tests&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/folio-api-tests&lt;/a&gt; that use diku_admin to create tenants and will begin to fail when this is fixed. To provide a workaround, we&apos;re adding an additional user on the folio-testing build that can be  used to create temporary tenants for these tests in its place. Tests can still run on the vagrant boxes without modification since the supertenant is unsecured there.&lt;/p&gt;</comment>
                                                            <comment id="193522" author="5cd423bebc70090d6ce241b1" created="Wed, 16 Oct 2019 13:42:42 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt; would you be OK with setting a date to close up this loophole? What seems reasonable, a week or two, maybe longer? Could help people prioritize updating tests.&lt;/p&gt;</comment>
                                                            <comment id="193527" author="5cf6c546b87c300f36eb7b9a" created="Fri, 18 Oct 2019 15:50:38 +0000"  >&lt;p&gt;I&apos;ve created user stories - it&apos;s out of my hands at this point.  I&apos;ll refer you to our PO &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A2f7b6349-450b-419a-ba54-c181f51383ad&quot; class=&quot;user-hover&quot; rel=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; data-account-id=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; accountid=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; rel=&quot;noreferrer&quot;&gt;Dennis Bridges&lt;/a&gt; to get this prioritized and sync up on a reasonable deadline.&lt;/p&gt;</comment>
                                                            <comment id="193532" author="557058:2f7b6349-450b-419a-ba54-c181f51383ad" created="Fri, 18 Oct 2019 17:14:07 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cd423bebc70090d6ce241b1&quot; class=&quot;user-hover&quot; rel=&quot;5cd423bebc70090d6ce241b1&quot; data-account-id=&quot;5cd423bebc70090d6ce241b1&quot; accountid=&quot;5cd423bebc70090d6ce241b1&quot; rel=&quot;noreferrer&quot;&gt;Ian Hardy&lt;/a&gt;, we&apos;re planning to include the required updates defined by Craig for this issue in sprint 75. Thus, we will need at least two weeks to implement the changes. That said we have another sprint review Monday to confirm. If things change I will let you know. thx!&lt;/p&gt;</comment>
                                                            <comment id="193540" author="5cd423bebc70090d6ce241b1" created="Mon, 21 Oct 2019 14:00:51 +0000"  >&lt;p&gt;Thanks &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A2f7b6349-450b-419a-ba54-c181f51383ad&quot; class=&quot;user-hover&quot; rel=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; data-account-id=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; accountid=&quot;557058:2f7b6349-450b-419a-ba54-c181f51383ad&quot; rel=&quot;noreferrer&quot;&gt;Dennis Bridges&lt;/a&gt; and Craig. I&apos;ll change the links to blocking and we&apos;ll handle this one after sprint 75 when those are resolved.&lt;/p&gt;</comment>
                                                            <comment id="193546" author="5cd423bebc70090d6ce241b1" created="Mon, 9 Mar 2020 13:52:51 +0000"  >&lt;p&gt;Update CQL to exclude okapi.* instead of okapi.all to protect against any future okapi permissions making there way in. &lt;/p&gt;</comment>
                                                            <comment id="193551" author="5cd423bebc70090d6ce241b1" created="Mon, 9 Mar 2020 13:53:59 +0000"  >&lt;p&gt;This ticket has been open for some time and we&apos;ve reached a point where we need to merge it to improve security on the reference environments. Pulling into current sprint.&lt;/p&gt;</comment>
                                                            <comment id="193557" author="5cd423bebc70090d6ce241b1" created="Mon, 9 Mar 2020 17:50:16 +0000"  >&lt;p&gt;Struggling with some weird ansible behavior here. The tenant-admin-permissions role runs at least twice. Right after creating the tenant/admin user and again as a requirement for the ebsco-rmapi-config role. After updating the cql query in tenant-admin-permissions role on master, I see the new query is picked up the first time, but not the second time the role runs in the same build.&lt;/p&gt;

&lt;p&gt;For example, in this build: &lt;a href=&quot;https://jenkins-aws.indexdata.com/job/Automation/job/folio-snapshot-test/111/consoleFull&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://jenkins-aws.indexdata.com/job/Automation/job/folio-snapshot-test/111/consoleFull&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Search for &quot;Get all permissionSets not included&quot; and you&apos;ll get two hits. the first time there&apos;s the &quot;excluding okapi&quot; message I added when I update the cql query, the second time, not. Seems like when its included in ebsco-rmapi-config/meta/main.yml it&apos;s not running the latest version of master. Does this sound familiar &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c706fbb47a54a6728e59df2&quot; class=&quot;user-hover&quot; rel=&quot;5c706fbb47a54a6728e59df2&quot; data-account-id=&quot;5c706fbb47a54a6728e59df2&quot; accountid=&quot;5c706fbb47a54a6728e59df2&quot; rel=&quot;noreferrer&quot;&gt;Wayne Schneider&lt;/a&gt; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5f9abc1eb45b2e007453f423&quot; class=&quot;user-hover&quot; rel=&quot;5f9abc1eb45b2e007453f423&quot; data-account-id=&quot;5f9abc1eb45b2e007453f423&quot; accountid=&quot;5f9abc1eb45b2e007453f423&quot; rel=&quot;noreferrer&quot;&gt;John Malconian&lt;/a&gt; or &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=61cd0ca0bce5e00069e98be7&quot; class=&quot;user-hover&quot; rel=&quot;61cd0ca0bce5e00069e98be7&quot; data-account-id=&quot;61cd0ca0bce5e00069e98be7&quot; accountid=&quot;61cd0ca0bce5e00069e98be7&quot; rel=&quot;noreferrer&quot;&gt;David Crossley&lt;/a&gt;. I&apos;ll continue looking into it. Its strange and was wondering if any of you had seen it before.&lt;/p&gt;</comment>
                                                            <comment id="193565" author="5c706fbb47a54a6728e59df2" created="Mon, 9 Mar 2020 20:23:51 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cd423bebc70090d6ce241b1&quot; class=&quot;user-hover&quot; rel=&quot;5cd423bebc70090d6ce241b1&quot; data-account-id=&quot;5cd423bebc70090d6ce241b1&quot; accountid=&quot;5cd423bebc70090d6ce241b1&quot; rel=&quot;noreferrer&quot;&gt;Ian Hardy&lt;/a&gt; it looks like there is a customized &quot;tenant-admin-permissions&quot; role in folio-infrastructure (&lt;a href=&quot;https://github.com/folio-org-priv/folio-infrastructure/tree/master/CI/ansible/roles/tenant-admin-permissions&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org-priv/folio-infrastructure/tree/master/CI/ansible/roles/tenant-admin-permissions&lt;/a&gt;) which gets called when ebsco-rmapi-config includes the role in the meta/main.yml file, because folio-ansible/roles is not on the roles path. I&apos;m not sure why there is a customized tenant-admin-permissions role or how it differs from the stock one.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10000">
                    <name>Blocks</name>
                                            <outwardlinks description="blocks">
                                        <issuelink>
            <issuekey id="81492">FOLIO-2499</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10002">
                    <name>Duplicate</name>
                                                                <inwardlinks description="is duplicated by">
                                        <issuelink>
            <issuekey id="81496">FOLIO-2505</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="70881">MODFIN-72</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="81723">FOLIO-2582</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="72992">MODGOBI-88</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="66404">MODINVOICE-107</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="59635">MODORDERS-318</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="74897">MODORGSTOR-46</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10144"><![CDATA[Core: Platform]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i006kf:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1984">DevOps: sprint 84</customfieldvalue>
    <customfieldvalue id="1857">CP: sprint 74</customfieldvalue>
    <customfieldvalue id="1419">CP: sprint 73</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 9 Oct 2019 20:02:38 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>