The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/8197
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
From be0e76b98c2fadcbd9dc09d34a05c3e6e3707da5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Fri, 27 Nov 2020 20:33:51 -0500
Subject: [PATCH] lxd/rbac: Filter storage UsedBy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
lxd/storage_pools.go | 4 ++--
lxd/storage_pools_utils.go | 30 ++++++++++++++++++++++++++++++
2 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/lxd/storage_pools.go b/lxd/storage_pools.go
index 2e3631e676..d7dd919474 100644
--- a/lxd/storage_pools.go
+++ b/lxd/storage_pools.go
@@ -70,7 +70,7 @@ func storagePoolsGet(d *Daemon, r *http.Request)
response.Response {
if err != nil {
return response.SmartError(err)
}
- pl.UsedBy = poolUsedBy
+ pl.UsedBy = filterUsedBy(d, r, poolUsedBy)
resultMap = append(resultMap, *pl)
}
@@ -332,7 +332,7 @@ func storagePoolGet(d *Daemon, r *http.Request)
response.Response {
if err != nil {
return response.SmartError(err)
}
- pool.UsedBy = poolUsedBy
+ pool.UsedBy = filterUsedBy(d, r, poolUsedBy)
targetNode := queryParam(r, "target")
diff --git a/lxd/storage_pools_utils.go b/lxd/storage_pools_utils.go
index 6ea29eb5c2..6bcf985a9a 100644
--- a/lxd/storage_pools_utils.go
+++ b/lxd/storage_pools_utils.go
@@ -2,9 +2,12 @@ package main
import (
"fmt"
+ "net/http"
+ "strings"
"github.com/pkg/errors"
+ "github.com/lxc/lxd/lxd/project"
"github.com/lxc/lxd/lxd/state"
storagePools "github.com/lxc/lxd/lxd/storage"
"github.com/lxc/lxd/shared"
@@ -183,3 +186,30 @@ func dbStoragePoolDeleteAndUpdateCache(s *state.State,
poolName string) error {
return err
}
+
+// filterUsedBy filters a UsedBy list based on project access
+func filterUsedBy(d *Daemon, r *http.Request, entries []string) []string {
+ // Shortcut for admins and non-RBAC environments.
+ if d.userIsAdmin(r) {
+ return entries
+ }
+
+ // Filter the entries.
+ usedBy := []string{}
+ for _, entry := range entries {
+ projectName := project.Default
+ fields := strings.Split(entry, "?project=")
+ if len(fields) > 1 {
+ projectName = fields[len(fields)-1]
+ projectName = strings.Split(projectName, "&")[0]
+ }
+
+ if !d.userHasPermission(r, projectName, "view") {
+ continue
+ }
+
+ usedBy = append(usedBy, entry)
+ }
+
+ return usedBy
+}
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
