[lxc-devel] [lxd/master] Network: Enforce RBAC permission manage-networks for managing networks

Tue, 22 Sep 2020 06:10:48 -0700 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/7914

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Checks that non-admin users have the `manage-networks` RBAC permission before allowing access to API routes that create/modify networks.

Also marks the `feature` argument in `allowProjectPermission` as unused as a point for discussion was to whether this should be removed or used.

From b548f832080d329c0946b4d49dc7cff0f359199e Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parr...@canonical.com>
Date: Tue, 22 Sep 2020 14:08:11 +0100
Subject: [PATCH 1/2] lxd/daemon: Marks the feature argument as unused in
 allowProjectPermission

Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
---
 lxd/daemon.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lxd/daemon.go b/lxd/daemon.go
index 171d0df966..03f30efcca 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -220,7 +220,7 @@ func allowAuthenticated(d *Daemon, r *http.Request) 
response.Response {
 }
 
 // allowProjectPermission is a wrapper to check access against the project, 
its features and RBAC permission
-func allowProjectPermission(feature string, permission string) func(d *Daemon, 
r *http.Request) response.Response {
+func allowProjectPermission(_ string, permission string) func(d *Daemon, r 
*http.Request) response.Response {
        return func(d *Daemon, r *http.Request) response.Response {
                // Shortcut for speed
                if d.userIsAdmin(r) {

From 3696e9d25c38157ef84273bf43b0b22b653dd05b Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parr...@canonical.com>
Date: Tue, 22 Sep 2020 14:08:50 +0100
Subject: [PATCH 2/2] lxd/networks: Enforces manage-networks RBAC permission
 for managing networks

Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
---
 lxd/networks.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lxd/networks.go b/lxd/networks.go
index e53e5bf088..6ad662a834 100644
--- a/lxd/networks.go
+++ b/lxd/networks.go
@@ -40,7 +40,7 @@ var networksCmd = APIEndpoint{
        Path: "networks",
 
        Get:  APIEndpointAction{Handler: networksGet, AccessHandler: 
allowAuthenticated},
-       Post: APIEndpointAction{Handler: networksPost},
+       Post: APIEndpointAction{Handler: networksPost, AccessHandler: 
allowProjectPermission("networks", "manage-networks")},
 }
 
 var networkCmd = APIEndpoint{
@@ -48,9 +48,9 @@ var networkCmd = APIEndpoint{
 
        Delete: APIEndpointAction{Handler: networkDelete},
        Get:    APIEndpointAction{Handler: networkGet, AccessHandler: 
allowAuthenticated},
-       Patch:  APIEndpointAction{Handler: networkPatch},
-       Post:   APIEndpointAction{Handler: networkPost},
-       Put:    APIEndpointAction{Handler: networkPut},
+       Patch:  APIEndpointAction{Handler: networkPatch, AccessHandler: 
allowProjectPermission("networks", "manage-networks")},
+       Post:   APIEndpointAction{Handler: networkPost, AccessHandler: 
allowProjectPermission("networks", "manage-networks")},
+       Put:    APIEndpointAction{Handler: networkPut, AccessHandler: 
allowProjectPermission("networks", "manage-networks")},
 }
 
 var networkLeasesCmd = APIEndpoint{

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to