Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: SaaS, 2.14.1 GA
Component/s: System
Labels:

Epic Link:
Rights & roles permissions feature
Blocked:
False
Ready:
False
3Scale PT Tested upstream:
Not Started
3scale PT Docs:
Not Started
3scale PT Product Specs:
Not Started
3scale PT Product Update Ready:
Not Started
3scale PT Released In Saas:
Not Started
3scale PT Verified Product:
Not Started
Workaround Description:
Hide

The proposed workaround is to use the Backend Traffic by Metric API until a fix to access the Backend Analytics UI:

curl -v -X GET "https://<ADMIN_PORTAL_DOMAIN>/stats/backend_apis/<BACKEND_API_ID>/usage.json?access_token=<ACCESS_TOKEN>&metric_name=<METRIC_NAME>&since=<YYYY-MM-DD>&period=week&until=<YYYY-MM-DD>&granularity=month&skip_change=true"
Show
The proposed workaround is to use the Backend Traffic by Metric API until a fix to access the Backend Analytics UI: curl -v -X GET "https: //<ADMIN_PORTAL_DOMAIN>/stats/backend_apis/<BACKEND_API_ID>/usage.json?access_token=<ACCESS_TOKEN>&metric_name=<METRIC_NAME>&since=<YYYY-MM-DD>&period=week&until=<YYYY-MM-DD>&granularity=month&skip_change= true "
Steps to Reproduce:
Hide

Login in the Admin Portal with a member user that has only "Access & query analytics" permissions

In the dashboard, try to access any available Backend

You'll get the Access Denied error
Show
Login in the Admin Portal with a member user that has only "Access & query analytics" permissions In the dashboard, try to access any available Backend You'll get the Access Denied error

SFDC Cases Counter:
SFDC Cases Links:

Description

When assigning Analytics permissions (Access & query analytics) to a member user and this user tries to access a Backend analytics through the Admin Portal dashboard it's returning the message Access Denied.

The problem seems to be that there's no top level menu item that allows navigating to analytics directly. Inspecting the Admin Portal dashboard I can see that the Backend urls are referencing to /p/admin/backend_apis/<backend_id> directly instead of /p/admin/backend_apis/<backend_id>/stats/usage:

<a href="/p/admin/backend_apis/3" id="single-action-item1">HTTPBIN_BACKEND</a>

I'm sharing the system-provider log below:

[0eee153d-e7fa-4ce8-9df7-1f8dd8cb4ef2] [10.131.1.54] [10.131.0.1] Started GET "/check.txt" for 10.131.0.1 at 2021-08-27 20:09:24 +0000
[0eee153d-e7fa-4ce8-9df7-1f8dd8cb4ef2] [10.131.1.54] [10.131.0.1] Processing by ChecksController#check as */*
[0eee153d-e7fa-4ce8-9df7-1f8dd8cb4ef2] [10.131.1.54] [10.131.0.1] Rendering text template
[0eee153d-e7fa-4ce8-9df7-1f8dd8cb4ef2] [10.131.1.54] [10.131.0.1] Rendered text template (0.0ms)
[0eee153d-e7fa-4ce8-9df7-1f8dd8cb4ef2] [10.131.1.54] [10.131.0.1] Completed 200 OK in 4ms (Views: 0.8ms | ActiveRecord: 0.0ms)
10.131.0.1 - - [27/Aug/2021:20:09:24 +0000] "GET /check.txt HTTP/1.1" 200 - 0.0095
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Started GET "/p/admin/backend_apis/3" for 10.0.91.25 at 2021-08-27 20:09:26 +0000
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Processing by Provider::Admin::BackendApisController#show as HTML
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Parameters: {"id"=>"3"}
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(finance) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(partners) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(monitoring) => true
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(finance) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(partners) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(plans) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(settings) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(monitoring) => true
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(portal) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(legal) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Handling Exception: You are not authorized to access this page. with status forbidden
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Rendering errors/provider/forbidden.html.erb within layouts/error
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Rendered errors/provider/forbidden.html.erb within layouts/error (0.1ms)
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Rendered provider/_analytics.html.erb (0.1ms)
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Rendered provider/_logo.html.slim (0.0ms)
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Rendered provider/_footer_powered_by_part.html.slim (0.0ms)
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Completed 403 Forbidden in 92ms (Views: 4.5ms | ActiveRecord: 7.6ms)
10.0.91.25 - - [27/Aug/2021:20:09:26 +0000] "GET /p/admin/backend_apis/3 HTTP/1.1" 403 - 0.1033
10.0.91.25 - - [27/Aug/2021:20:09:27 +0000] "GET /assets/error-a0706ff249c33f59e35929b3c67bbff618f9ebb43fa4a06a4ee13d933ea28404.css HTTP/1.1" 200 15575 0.0037

If this can't be fixed, we should change the permission name to make it more clear to the use (since they do have access at the product level).

Attachments

Issue Links

is related to

THREESCALE-6482 User with 'Analytics' role cannot view products without additional r/w role granted

To Define

links to

Member users in 3scale Analytics group getting "Access Denied" when accessing the Backend analytics

mentioned on

Merge request - Updated US source to: 2ff2b7a THREESCALE-7491: Fix permissions errors for member user with Analytics permissions (#3763)

Merge request - Updated US source to: 5397809 Merge pull request #3769 from 3scale/provider_plan_widget_cukes

Activity

People

Assignee:: Daria Mayorova

Reporter:: Gustavo Pereira

Votes:: 2 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2021/08/27 8:19 PM

Updated:: 2024/04/26 7:50 AM