Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 2.15.0 GA
Affects Version/s: SaaS, 2.14.1 GA
Component/s: System
Labels:

Epic Link:
Right & Roles related issues
Blocked:
False
Ready:
False
3Scale PT Tested upstream:
Not Started
3scale PT Docs:
Not Started
3scale PT Product Specs:
Not Started
3scale PT Product Update Ready:
Not Started
3scale PT Released In Saas:
Not Started
3scale PT Verified Product:
Not Started
QE Test Coverage:
+
Target Release:

2.15.0 GA
Workaround Description:
Hide

The proposed workaround is to use the Backend Traffic by Metric API until a fix to access the Backend Analytics UI:

curl -v -X GET "https://<ADMIN_PORTAL_DOMAIN>/stats/backend_apis/<BACKEND_API_ID>/usage.json?access_token=<ACCESS_TOKEN>&metric_name=<METRIC_NAME>&since=<YYYY-MM-DD>&period=week&until=<YYYY-MM-DD>&granularity=month&skip_change=true"
Show
The proposed workaround is to use the Backend Traffic by Metric API until a fix to access the Backend Analytics UI: curl -v -X GET "https: //<ADMIN_PORTAL_DOMAIN>/stats/backend_apis/<BACKEND_API_ID>/usage.json?access_token=<ACCESS_TOKEN>&metric_name=<METRIC_NAME>&since=<YYYY-MM-DD>&period=week&until=<YYYY-MM-DD>&granularity=month&skip_change= true "
Steps to Reproduce:
Hide

Login in the Admin Portal with a member user that has only "Access & query analytics" permissions

In the dashboard, try to access any available Backend

You'll get the Access Denied error
Show
Login in the Admin Portal with a member user that has only "Access & query analytics" permissions In the dashboard, try to access any available Backend You'll get the Access Denied error

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

When assigning Analytics permissions (Access & query analytics) to a member user and this user tries to access a Backend analytics through the Admin Portal dashboard it's returning the message Access Denied.

The problem seems to be that there's no top level menu item that allows navigating to analytics directly. Inspecting the Admin Portal dashboard I can see that the Backend urls are referencing to /p/admin/backend_apis/<backend_id> directly instead of /p/admin/backend_apis/<backend_id>/stats/usage:

<a href="/p/admin/backend_apis/3" id="single-action-item1">HTTPBIN_BACKEND</a>

I'm sharing the system-provider log below:

[0eee153d-e7fa-4ce8-9df7-1f8dd8cb4ef2] [10.131.1.54] [10.131.0.1] Started GET "/check.txt" for 10.131.0.1 at 2021-08-27 20:09:24 +0000
[0eee153d-e7fa-4ce8-9df7-1f8dd8cb4ef2] [10.131.1.54] [10.131.0.1] Processing by ChecksController#check as */*
[0eee153d-e7fa-4ce8-9df7-1f8dd8cb4ef2] [10.131.1.54] [10.131.0.1] Rendering text template
[0eee153d-e7fa-4ce8-9df7-1f8dd8cb4ef2] [10.131.1.54] [10.131.0.1] Rendered text template (0.0ms)
[0eee153d-e7fa-4ce8-9df7-1f8dd8cb4ef2] [10.131.1.54] [10.131.0.1] Completed 200 OK in 4ms (Views: 0.8ms | ActiveRecord: 0.0ms)
10.131.0.1 - - [27/Aug/2021:20:09:24 +0000] "GET /check.txt HTTP/1.1" 200 - 0.0095
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Started GET "/p/admin/backend_apis/3" for 10.0.91.25 at 2021-08-27 20:09:26 +0000
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Processing by Provider::Admin::BackendApisController#show as HTML
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Parameters: {"id"=>"3"}
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(finance) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(partners) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(monitoring) => true
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(finance) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(partners) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(plans) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(settings) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(monitoring) => true
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(portal) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] ~> gmpereir has_permission?(legal) => false
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Handling Exception: You are not authorized to access this page. with status forbidden
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Rendering errors/provider/forbidden.html.erb within layouts/error
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Rendered errors/provider/forbidden.html.erb within layouts/error (0.1ms)
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Rendered provider/_analytics.html.erb (0.1ms)
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Rendered provider/_logo.html.slim (0.0ms)
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Rendered provider/_footer_powered_by_part.html.slim (0.0ms)
[5e5a06b5-44d8-4336-9d7d-66f19bd5a297] [3scale-admin.apps.ocp4amp.lab.upshift.rdu2.redhat.com] [10.0.91.25] Completed 403 Forbidden in 92ms (Views: 4.5ms | ActiveRecord: 7.6ms)
10.0.91.25 - - [27/Aug/2021:20:09:26 +0000] "GET /p/admin/backend_apis/3 HTTP/1.1" 403 - 0.1033
10.0.91.25 - - [27/Aug/2021:20:09:27 +0000] "GET /assets/error-a0706ff249c33f59e35929b3c67bbff618f9ebb43fa4a06a4ee13d933ea28404.css HTTP/1.1" 200 15575 0.0037

If this can't be fixed, we should change the permission name to make it more clear to the use (since they do have access at the product level).

is related to

THREESCALE-6482 User with 'Analytics' role cannot view products without additional r/w role granted

To Test (QE)

relates to

THREESCALE-11068 Member user in Analytics group getting Access Denied when accessing the Product analytics page

To Develop

links to

Member users in 3scale Analytics group getting "Access Denied" when accessing the Backend analytics

RHEA-2024:129555 Release of 3scale-operator 0.12.1mas for RHOAM - Containers

mentioned on

Merge request - Updated US source to: 2ff2b7a THREESCALE-7491: Fix permissions errors for member user with Analytics permissions (#3763)

Merge request - Updated US source to: 5397809 Merge pull request #3769 from 3scale/provider_plan_widget_cukes

Merge request - Updated US source to: eea43d5 THREESCALE-11011: Authorize.net is a living dead 🧟‍♀️ (#3771)

(2 mentioned on)

Assignee:: Unassigned

Reporter:: Gustavo Pereira

Tester:: Martin Kudlej

Developer:: Daria Mayorova

Votes:: 2 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2021/08/27 8:19 PM

Updated:: 2024/11/15 8:13 AM

Resolved:: 2024/11/15 8:04 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates