[Bug]: Authz: UI is unusable without granting read rights to default namespace #3688
Description
Bug Description
Context
Consider following namespaces on the instance:
- team1-prod
- team2-prod
- team3-prod
and following rego policy
package flipt.authz.v1
import rego.v1
default allow := false
allow if {
claims := json.unmarshal(input.authentication.metadata["io.flipt.auth.claims"])
"member-team1" in claims.roles
input.request.namespace == "team1-prod"
}
Problem
On the first page load after authentication, the UI becomes unusable:
- The namespace dropdown is not populated
- Navigation to other namespaces is not possible
- In browser's network tab, the request
GET /api/v1/namespacesfailed with 403 error
Workaround
As a workaround, read rights to default namespace has to be granted using the following policy:
package flipt.authz.v1
import rego.v1
default allow := false
allow if {
claims := json.unmarshal(input.authentication.metadata["io.flipt.auth.claims"])
count(claims.groups) > 0
input.request.namespace == "default"
input.request.action == "read"
}
allow if {
claims := json.unmarshal(input.authentication.metadata["io.flipt.auth.claims"])
"member-team1" in claims.roles
input.request.namespace == "team1-prod"
}
Limitation of the Workaround
While this workaround restores basic functionality, the User Experience remains suboptimal:
- Users are greeted with a view of the
defaultnamespace, which they cannot edit (buttons are active) - Users must manually navigate to their own namespace via the dropdown
- The dropdown displays all namespaces, including those the user does not own or have access to
Navigation to other namespace is blocked, but it would be best if resource visibility is aligned with access permission.
Version Info
flipt-1 | Version: v1.52.2
flipt-1 | Commit: 2d6a7e5d981a3077c26b96d481eb1fba147742f2
flipt-1 | Build Date: 2024-12-03T16:36:20Z
flipt-1 | Go Version: go1.23.3
flipt-1 | OS/Arch: linux/arm64
Search
- I searched for other open and closed issues before opening this
Steps to Reproduce
Setup flipt with following namespaces on the instance:
- team1-prod
- team2-prod
- team3-prod
and following rego policy
package flipt.authz.v1
import rego.v1
default allow := false
allow if {
claims := json.unmarshal(input.authentication.metadata["io.flipt.auth.claims"])
"member-team1" in claims.roles
input.request.namespace == "team1-prod"
}
And authorization provider with member-team1 in claim. Then login with a user with member-team1 role.
Expected Behavior
- Users are redirected to their any/first assigned namespace upon login or first page load
- Users can only see the namespaces it has authorization for
Additional Context
Config excerpt:
# ...
authorization:
required: true
backend: local
local:
policy:
path: "/var/run/policy.rego"
poll_interval: 1m
authentication:
required: true
session:
domain: "localhost:8080"
secure: false
csrf:
key: "abcdef1234567890"
methods:
token:
enabled: true
cleanup:
interval: 2h
grace_period: 48h
oidc:
enabled: true
providers:
azure:
issuer_url: "XXXX"
client_id: "XXXX"
client_secret: "XXXX"
redirect_address: "http://localhost:8080"
cleanup:
interval: 2h
grace_period: 48h
# ...