Admin actions are defined, but you are not allowed to upload token files

koenr · June 26, 2020, 3:50pm

I can not upload tokens with the local admin account, created on setup.
I found a few mentions of this, related to policy files. This is my (short) list.

pi-manage policy list

Active Name Scope

True enroll_tokenlabel enrollment
True webui1 webui
True webui_enabletoken authentication
True hide_welcome webui
True selfservice1 user

From the server documentation:
SUPERUSER_REALM: [‘super’]

… note:: The SUPERUSER_REALM is a list of defined realms where the users
will have administrative rights when logging in to the web UI.

PI_AUDIT_POOL_SIZE: 20

PI_AUDIT_SQL_TRUNCATE: True

PI_ENGINE_REGISTRY_CLASS: shared

Local Admins

In addition to the SUPERUSER_REALM there are local administrators stored in
the database. The following administrators are defined:

admin admin@localhost

The weird thing is: I had this before. It magically resolved by restarting the server (and that on a Linux).
Doesn’t solve the problem now however …

I solved it this time by disabling all my policies and then uploading. That worked, but that can hardly be the solution.

What policy blocks this? I don’t think I have anything from the admin scope …

cornelinux · June 26, 2020, 3:58pm

This is a know issue.

The upload will only work, if you define an admin policy. Please note, that you need to define an admin policy with roughly all rights as first policy.

koenr · June 28, 2020, 7:31am

Ah, I missed that. Thank you for your reply.

I was following

Note
As long as no admin policy is defined all administrators are allowed to do everything.

from the page https://privacyidea.readthedocs.io/en/latest/policies/admin.html#admin-policies in the documentation…

koenr · September 18, 2020, 12:53pm

I still didn’t manage to get this working: if I make a policy for superadmin and tick all boxes, then it is not allowed to do anything anymore for some reason.

For people in the same boat: as a workaround I disable all policies and then I can upload the tokens.

I’m still on 3.3

cornelinux · September 18, 2020, 1:08pm

The admin should be allowed to do “things”. If you are on 3.3, however you have the import-token-bug, which is fixed in 3.3.3, which is the latest bug fixing release. 3.4 is the latest feature release.

You could also use pi-manage to export your (admin)-policies and we could take a look.

pi-manage policy p_export

Write it to a file, filter for all admin policies and take a deeper look or post them here.
Regards
Cornelius