[PMM-6681] Not all PMM admin users can download diagnostic logs, only those with Grafana admin rights - Percona JIRA

XML

Word

Printable

Details

Type: Bug
Status: Done
Priority: Medium
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.15.0
Component/s: PMM ManageD, PMM Server
Labels:

Epic Link:
Troubleshooting improvements
Needs Review:
Yes
Needs QA:
Yes
Platform Team:
[obsolete] Server Features

Description

Impact on the user: PMM user with Admin permission not able to see logs (but the same user can do everything else in the system)

STR:

Open PMM
create a user with Admin level (but not Grafana Admin)
- create new user in Graphana UI (image(1))
- edit the user and disable Graphana Admin permission(image(2))
download logs https://SERVER_IP/logs.zip

Expected results:

file was downloaded

Given results:

{"code":7,"error":"Access denied.","message":"Access denied."}

Considering https://confluence.percona.com/display/PMM/PMM2%3A+PMM+Security+Model "A special user flag "Grafana Admin" is not used by PMM core components too yet."

This looks like a bug

Original report:

When trying to download the diagnostic log file using the PMM login user (in my case - vinodhpmm:admin user) created with ADMIN privilege gives an error.

Vinodhs-MacBook-Pro:eeg vinodhkrish$ rm logs.zip 
remove logs.zip? y
Vinodhs-MacBook-Pro:eeg vinodhkrish$ curl http://vinodhpmm:admin@localhost:8080/managed/logs.zip > logs.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    63  100    63    0     0    656      0 --:--:-- --:--:-- --:--:--   656
Vinodhs-MacBook-Pro:eeg vinodhkrish$ cat logs.zip 
{"code":7,"error":"Access denied.","message":"Access denied."}

whereas with the default admin:admin user, ablee to download the proper diagnostic files:

Vinodhs-MacBook-Pro:eeg vinodhkrish$ rm logs.zip 
remove logs.zip? y
Vinodhs-MacBook-Pro:eeg vinodhkrish$ curl http://admin:admin@localhost:8080/managed/logs.zip > logs.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  159k    0  159k    0     0   268k      0 --:--:-- --:--:-- --:--:--  268k
Vinodhs-MacBook-Pro:eeg vinodhkrish$ 
Vinodhs-MacBook-Pro:eeg vinodhkrish$ unzip logs.zip 
Archive:  logs.zip
  inflating: alertmanager.log        
  inflating: clickhouse-server.err.log  
  inflating: clickhouse-server.log   
  inflating: clickhouse-server.startup.log  
  inflating: cron.log                
  inflating: dashboard-upgrade.log   
  inflating: grafana.log

I believe it is because the ADMIN privilege provided to the PMM login user is Organisational ADMIN privilege and not Server-Admin (Grafana Admin). (see here). But it is a common expectation for a new login user with org ADMIN privilege to download the diagnostic log files.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

image (1).png
263 kB
29/Dec/20 7:18 PM
image (2).png
299 kB
29/Dec/20 7:18 PM

Issue Links

is duplicated by

PMM-7185 Unable to download PMM logs via GUI by a user with admin role

Done

Activity

People

Assignee:: David Mikus (Inactive)

Reporter:: Vinodh Krishnaswamy

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 24/Sep/20 6:48 AM

Updated:: 05/Mar/21 1:27 PM

Resolved:: 09/Feb/21 12:11 PM

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Smart Checklist