[GH-ISSUE #17] Comments on servers are not visible to users added via group-guest on selfListAccesses #6

New issue

Closed

opened 2026-05-07 00:17:07 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented 2026-05-07 00:17:07 +02:00

Owner

Copy link

Originally created by @rbeuque74 on GitHub (Oct 26, 2020).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/17

I have a group, with 4 servers, some of them have userComment on it:

poweruser@zbst-rbeuque(master)> groupListServers --group foo
---zbst-rbeuque--------------------------------the-bastion-2.99.99-rc9.4-ovh1---
=> list of servers pertaining to the group
--------------------------------------------------------------------------------
~ IP               PORT                 USER                      ACCESS-BY   ADDED-BY      ADDED-AT                                       EXPIRY?                                  COMMENT FORCED-KEY?                                                                                                                                                            
~ 127.0.0.1          22                  ovh                     foo(group)  poweruser    2020-10-26                                             -                                        - -                                                                                                                                                                      
~ 127.0.0.2          22                  ovh                     foo(group)  poweruser    2020-10-26                                             -                             test comment -                                                                                                                                                                      
~ 127.0.0.3          22                  ovh                     foo(group)  poweruser    2020-10-26                                             -                        test foo comment -                                                                                                                                                                      
~ 127.0.0.4          22                  ovh                     foo(group)  poweruser    2020-10-26                                             -                                        - -                                                                                                                                                                      
~ 4 accesses listed

When I add another user as a guest of my foo group, user can't see the userComment that has been set by the person who add the server.

user@zbst-rbeuque(master)> selfListAccesses
---zbst-rbeuque--------------------------------the-bastion-2.99.99-rc9.4-ovh1---
=> your access list
--------------------------------------------------------------------------------
~ Dear robot-framework, you have access to the following servers:
~ IP               PORT                 USER                      ACCESS-BY   ADDED-BY      ADDED-AT                                       EXPIRY?                                  COMMENT FORCED-KEY?                                                                                                                                                            
~ 127.0.0.1          22                  ovh               foo(group-guest)  poweruser    2020-10-26                                             -                                        - -                                                                                                                                                                      
~ 127.0.0.4          22                  ovh               foo(group-guest)  poweruser    2020-10-26                                             -                                        - -                                                                                                                                                                      
~ 3 accesses listed
----------------------------------------------------------</selfListAccesses>---

I guess the issue is around:

• https://github.com/ovh/the-bastion/blob/master/bin/helper/osh-accountAddGroupServer#L72
• https://github.com/ovh/the-bastion/blob/master/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm#L191
• https://github.com/ovh/the-bastion/blob/master/lib/perl/OVH/Bastion/allowkeeper.inc#L235

groupSetRole calls OVH::Bastion::is_access_way_granted then osh-accountAddGroupServer.
OVH::Bastion::is_access_way_granted retrieve the current ACL, which contains the comment, but doesn't retrieve it completely, and more specifically, doesn't forward it to osh-accountAddGroupServer
This comment could be used as a parameter in osh-accountAddGroupServer while calling OVH::Bastion::access_modify.

Originally created by @rbeuque74 on GitHub (Oct 26, 2020). Original GitHub issue: https://github.com/ovh/the-bastion/issues/17 I have a group, with 4 servers, some of them have `userComment` on it: ``` poweruser@zbst-rbeuque(master)> groupListServers --group foo ---zbst-rbeuque--------------------------------the-bastion-2.99.99-rc9.4-ovh1--- => list of servers pertaining to the group -------------------------------------------------------------------------------- ~ IP PORT USER ACCESS-BY ADDED-BY ADDED-AT EXPIRY? COMMENT FORCED-KEY? ~ 127.0.0.1 22 ovh foo(group) poweruser 2020-10-26 - - - ~ 127.0.0.2 22 ovh foo(group) poweruser 2020-10-26 - test comment - ~ 127.0.0.3 22 ovh foo(group) poweruser 2020-10-26 - test foo comment - ~ 127.0.0.4 22 ovh foo(group) poweruser 2020-10-26 - - - ~ 4 accesses listed ``` When I add another user as a guest of my `foo` group, user can't see the `userComment` that has been set by the person who add the server. ``` user@zbst-rbeuque(master)> selfListAccesses ---zbst-rbeuque--------------------------------the-bastion-2.99.99-rc9.4-ovh1--- => your access list -------------------------------------------------------------------------------- ~ Dear robot-framework, you have access to the following servers: ~ IP PORT USER ACCESS-BY ADDED-BY ADDED-AT EXPIRY? COMMENT FORCED-KEY? ~ 127.0.0.1 22 ovh foo(group-guest) poweruser 2020-10-26 - - - ~ 127.0.0.4 22 ovh foo(group-guest) poweruser 2020-10-26 - - - ~ 3 accesses listed ----------------------------------------------------------</selfListAccesses>--- ``` I guess the issue is around: - https://github.com/ovh/the-bastion/blob/master/bin/helper/osh-accountAddGroupServer#L72 - https://github.com/ovh/the-bastion/blob/master/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm#L191 - https://github.com/ovh/the-bastion/blob/master/lib/perl/OVH/Bastion/allowkeeper.inc#L235 `groupSetRole` calls `OVH::Bastion::is_access_way_granted` then `osh-accountAddGroupServer`. `OVH::Bastion::is_access_way_granted` retrieve the current ACL, which contains the comment, but doesn't retrieve it completely, and more specifically, doesn't forward it to `osh-accountAddGroupServer` This comment could be used as a parameter in `osh-accountAddGroupServer` while calling `OVH::Bastion::access_modify`.

BreizhHardware 2026-05-07 00:17:07 +02:00

• closed this issue
• added the
  bug
  label

BreizhHardware referenced this issue 2026-05-07 00:19:38 +02:00

[PR #6] [MERGED] chore: add some documentation and fix a few comments #165

BreizhHardware referenced this issue 2026-05-07 00:21:43 +02:00

[PR #597] [CLOSED] feat: add local portforwarding accesses #602

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

expifix

groupcreate_fix_uid

fix_group_gid_fast

gh-pages

clush

expiration

jsonvalidator

v3.23.01

v3.23.00

v3.22.00

v3.21.00

v3.20.00

v3.19.01

v3.19.00

v3.18.99-rc1

v3.18.00

v3.17.01

v3.17.00

v3.16.99-rc3

v3.16.99-rc2

v3.16.99-rc1

v3.16.01

v3.16.00

v3.15.00

v3.14.16

v3.14.15

v3.14.00

v3.13.01

v3.13.00

v3.12.00

v3.11.02

v3.11.01

v3.11.00

v3.10.00

v3.09.02

v3.09.00-really

v3.09.00

v3.09.00-rc3

v3.09.00-rc2

v3.09.00-rc1

v3.08.01

v3.08.00

v3.07.00

v3.06.00

v3.05.01

v3.05.00

v3.04.00

v3.03.99-rc2

v3.03.99-rc1

v3.03.01

v3.03.00

v3.02.00

v3.01.99-rc4

v3.01.99-rc3

v3.01.99-rc2

v3.01.99-rc1

v3.01.03

v3.01.02

v3.01.01

v3.01.00

v3.00.02

v3.00.01

v3.00.00

Labels

Clear labels   

answered

  

bug

  

documentation

  

enhancement

  

enhancement

  

feature

  

feature

  

kept-open-for-info

  

pull-request

Mirrored from GitHub Pull Request

  

question

No labels

answered

bug

documentation

enhancement

enhancement

feature

feature

kept-open-for-info

pull-request

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/the-bastion#6

No description provided.