Merge pull request #680 from cvaroqui/main

RBAC
opensvc · Jan 24, 2025 · c0b1eae · c0b1eae
2 parents a2585be + 09e51d2
commit c0b1eae
Show file tree

Hide file tree

Showing 105 changed files with 176 additions and 111 deletions.
diff --git a/core/clusterdump/cluster.go b/core/clusterdump/cluster.go
@@ -104,21 +104,25 @@ func (s *Data) WithSelector(selector string) *Data {
 }
 
 // WithNamespace purges the dataset from objects not matching the namespace
-func (s *Data) WithNamespace(namespace string) *Data {
-	if namespace == "" {
+func (s *Data) WithNamespace(namespaces ...string) *Data {
+	if len(namespaces) == 0 {
 		return s
 	}
+	allowedNamespaces := make(map[string]any)
+	for _, namespace := range namespaces {
+		allowedNamespaces[namespace] = nil
+	}
 	for nodename, nodeData := range s.Cluster.Node {
 		for ps := range nodeData.Instance {
 			p, _ := naming.ParsePath(ps)
-			if p.Namespace != namespace {
+			if _, ok := allowedNamespaces[p.Namespace]; !ok {
 				delete(s.Cluster.Node[nodename].Instance, ps)
 			}
 		}
 	}
 	for ps := range s.Cluster.Object {
 		p, _ := naming.ParsePath(ps)
-		if p.Namespace != namespace {
+		if _, ok := allowedNamespaces[p.Namespace]; !ok {
 			delete(s.Cluster.Object, ps)
 		}
 	}

diff --git a/daemon/daemonapi/get_daemon_events.go b/daemon/daemonapi/get_daemon_events.go
@@ -143,10 +143,8 @@ func (a *DaemonAPI) getPeerDaemonEvents(ctx echo.Context, nodename string, param
 
 // getLocalDaemonEvents handles streaming local daemon events based on provided filters, selectors, and parameters.
 func (a *DaemonAPI) getLocalDaemonEvents(ctx echo.Context, params api.GetDaemonEventsParams) error {
-	if v, err := assertRole(ctx, rbac.RoleGuest, rbac.RoleOperator, rbac.RoleAdmin, rbac.RoleRoot, rbac.RoleJoin, rbac.RoleLeave); err != nil {
+	if v, err := assertRole(ctx, rbac.RoleGuest, rbac.RoleOperator, rbac.RoleAdmin, rbac.RoleRoot, rbac.RoleJoin, rbac.RoleLeave); !v {
 		return err
-	} else if !v {
-		return nil
 	}
 	var (
 		handlerName = "GetDaemonEvents"

diff --git a/daemon/daemonapi/get_daemon_status.go b/daemon/daemonapi/get_daemon_status.go
@@ -8,6 +8,7 @@ import (
 	"github.com/labstack/echo/v4"
 
 	"github.com/opensvc/om3/daemon/api"
+	"github.com/opensvc/om3/daemon/rbac"
 )
 
 type (
@@ -30,7 +31,8 @@ var (
 //
 // Serve 2s cached data.
 func (a *DaemonAPI) GetDaemonStatus(ctx echo.Context, params api.GetDaemonStatusParams) error {
-	if v, err := assertRoot(ctx); !v {
+	// Require at least "guest" on any namespace.
+	if v, err := assertRole(ctx, rbac.RoleGuest, rbac.RoleOperator, rbac.RoleAdmin, rbac.RoleRoot, rbac.RoleJoin, rbac.RoleLeave); !v {
 		return err
 	}
 	now := time.Now()
@@ -42,11 +44,25 @@ func (a *DaemonAPI) GetDaemonStatus(ctx echo.Context, params api.GetDaemonStatus
 	subRefreshed.Unlock()
 
 	status := a.Daemondata.ClusterData()
+
+	// Explicit object selector filtering
 	if params.Selector != nil {
 		status = status.WithSelector(*params.Selector)
 	}
+
+	// Explicit namespace filtering
 	if params.Namespace != nil {
 		status = status.WithNamespace(*params.Namespace)
 	}
+
+	// RBAC namespace filtering
+	userGrants := grantsFromContext(ctx)
+	if !userGrants.HasRole(rbac.RoleRoot) {
+		// If the user has no "root" grant, filter out all objects from namespaces
+		// he has no role for. The guest:ns1 grant is sufficient to see all
+		// objects in ns1.
+		status = status.WithNamespace(userGrants.Namespaces()...)
+	}
+
 	return ctx.JSON(http.StatusOK, status)
 }
diff --git a/daemon/daemonapi/get_instance.go b/daemon/daemonapi/get_instance.go
@@ -8,6 +8,7 @@ import (
 	"github.com/opensvc/om3/core/instance"
 	"github.com/opensvc/om3/core/naming"
 	"github.com/opensvc/om3/daemon/api"
+	"github.com/opensvc/om3/daemon/rbac"
 )
 
 func (a *DaemonAPI) GetInstances(ctx echo.Context, params api.GetInstancesParams) error {
@@ -24,14 +25,17 @@ func (a *DaemonAPI) GetInstances(ctx echo.Context, params api.GetInstancesParams
 	}
 	configs := instance.ConfigData.GetAll()
 	l := make(api.InstanceItems, 0)
+	hasRoot := grantsFromContext(ctx).HasRole(rbac.RoleRoot)
+	userGrants := grantsFromContext(ctx)
+
 	for _, config := range configs {
 		if !meta.HasPath(config.Path.String()) {
 			continue
 		}
 		if !meta.HasNode(config.Node) {
 			continue
 		}
-		if _, err := assertGuest(ctx, config.Path.Namespace); err != nil {
+		if !hasRoot && !userGrants.Has(rbac.RoleGuest, config.Path.Namespace) {
 			continue
 		}
 

diff --git a/daemon/daemonapi/get_instance_config_file.go b/daemon/daemonapi/get_instance_config_file.go
@@ -13,7 +13,7 @@ import (
 )
 
 func (a *DaemonAPI) GetInstanceConfigFile(ctx echo.Context, nodename, namespace string, kind naming.Kind, name string) error {
-	if _, err := assertGuest(ctx, namespace); err != nil {
+	if v, err := assertGuest(ctx, namespace); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_instance_resource_info.go b/daemon/daemonapi/get_instance_resource_info.go
@@ -15,7 +15,7 @@ import (
 )
 
 func (a *DaemonAPI) GetInstanceResourceInfo(ctx echo.Context, nodename, namespace string, kind naming.Kind, name string) error {
-	if _, err := assertGuest(ctx, namespace); err != nil {
+	if v, err := assertGuest(ctx, namespace); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_instance_schedule.go b/daemon/daemonapi/get_instance_schedule.go
@@ -11,7 +11,7 @@ import (
 )
 
 func (a *DaemonAPI) GetInstanceSchedule(ctx echo.Context, nodename, namespace string, kind naming.Kind, name string) error {
-	if _, err := assertGuest(ctx, namespace); err != nil {
+	if v, err := assertGuest(ctx, namespace); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_instances_logs.go b/daemon/daemonapi/get_instances_logs.go
@@ -10,7 +10,7 @@ import (
 )
 
 func (a *DaemonAPI) GetInstanceLogs(ctx echo.Context, nodename string, namespace string, kind naming.Kind, name string, params api.GetInstanceLogsParams) error {
-	if _, err := assertGuest(ctx, namespace); err != nil {
+	if v, err := assertGuest(ctx, namespace); !v {
 		return err
 	}
 	p, err := naming.NewPath(namespace, kind, name)

diff --git a/daemon/daemonapi/get_network.go b/daemon/daemonapi/get_network.go
@@ -13,7 +13,7 @@ import (
 
 // GetNetworks returns network status list.
 func (a *DaemonAPI) GetNetworks(ctx echo.Context, params api.GetNetworksParams) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	var items api.NetworkItems

diff --git a/daemon/daemonapi/get_network_ip.go b/daemon/daemonapi/get_network_ip.go
@@ -40,7 +40,7 @@ func GetClusterIPs() clusterip.L {
 
 // GetNetworkIP returns network status list.
 func (a *DaemonAPI) GetNetworkIP(ctx echo.Context, params api.GetNetworkIPParams) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	n, err := object.NewNode(object.WithVolatile(true))

diff --git a/daemon/daemonapi/get_node.go b/daemon/daemonapi/get_node.go
@@ -10,7 +10,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodes(ctx echo.Context, params api.GetNodesParams) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	meta := Meta{

diff --git a/daemon/daemonapi/get_node_capabilities.go b/daemon/daemonapi/get_node_capabilities.go
@@ -11,7 +11,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeCapabilities(ctx echo.Context, nodename string) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_config.go b/daemon/daemonapi/get_node_config.go
@@ -14,7 +14,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeConfig(ctx echo.Context, nodename string, params api.GetNodeConfigParams) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_config_file.go b/daemon/daemonapi/get_node_config_file.go
@@ -13,7 +13,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeConfigFile(ctx echo.Context, nodename string) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_config_get.go b/daemon/daemonapi/get_node_config_get.go
@@ -14,7 +14,7 @@ import (
 func (a *DaemonAPI) GetNodeConfigGet(ctx echo.Context, nodename string, params api.GetNodeConfigGetParams) error {
 	//log := LogHandler(ctx, "GetNodeConfigGet")
 
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 

diff --git a/daemon/daemonapi/get_node_drbd_allocation.go b/daemon/daemonapi/get_node_drbd_allocation.go
@@ -74,7 +74,7 @@ func init() {
 }
 
 func (a *DaemonAPI) GetNodeDRBDAllocation(ctx echo.Context, nodename string) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_drbd_config.go b/daemon/daemonapi/get_node_drbd_config.go
@@ -13,7 +13,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeDRBDConfig(ctx echo.Context, nodename string, params api.GetNodeDRBDConfigParams) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	log := LogHandler(ctx, "GetNodeDRBDConfig")

diff --git a/daemon/daemonapi/get_node_drivers.go b/daemon/daemonapi/get_node_drivers.go
@@ -12,7 +12,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeDriver(ctx echo.Context, nodename api.InPathNodeName) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_logs.go b/daemon/daemonapi/get_node_logs.go
@@ -20,7 +20,7 @@ import (
 
 // GetNodeLogs feeds publications in rss format.
 func (a *DaemonAPI) GetNodeLogs(ctx echo.Context, nodename string, params api.GetNodeLogsParams) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if nodename == a.localhost || nodename == "localhost" {

diff --git a/daemon/daemonapi/get_node_ping.go b/daemon/daemonapi/get_node_ping.go
@@ -10,7 +10,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodePing(ctx echo.Context, nodename api.InPathNodeName) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_schedule.go b/daemon/daemonapi/get_node_schedule.go
@@ -12,7 +12,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSchedule(ctx echo.Context, nodename string) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_ssh_hostkeys.go b/daemon/daemonapi/get_node_ssh_hostkeys.go
@@ -13,7 +13,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSSHHostkeys(ctx echo.Context, nodename string) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_ssh_key.go b/daemon/daemonapi/get_node_ssh_key.go
@@ -17,7 +17,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSSHKey(ctx echo.Context, nodename string) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_system_disk.go b/daemon/daemonapi/get_node_system_disk.go
@@ -13,7 +13,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemDisk(ctx echo.Context, nodename api.InPathNodeName) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_system_group.go b/daemon/daemonapi/get_node_system_group.go
@@ -13,7 +13,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemGroup(ctx echo.Context, nodename api.InPathNodeName) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_system_hardware.go b/daemon/daemonapi/get_node_system_hardware.go
@@ -13,7 +13,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemHardware(ctx echo.Context, nodename api.InPathNodeName) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_system_ipaddress.go b/daemon/daemonapi/get_node_system_ipaddress.go
@@ -13,7 +13,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemIPAddress(ctx echo.Context, nodename api.InPathNodeName) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_system_package.go b/daemon/daemonapi/get_node_system_package.go
@@ -13,7 +13,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemPackage(ctx echo.Context, nodename api.InPathNodeName) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_system_patch.go b/daemon/daemonapi/get_node_system_patch.go
@@ -13,7 +13,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemPatch(ctx echo.Context, nodename api.InPathNodeName) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_system_property.go b/daemon/daemonapi/get_node_system_property.go
@@ -13,7 +13,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemProperty(ctx echo.Context, nodename api.InPathNodeName) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_system_san_initiator.go b/daemon/daemonapi/get_node_system_san_initiator.go
@@ -13,7 +13,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemSANInitiator(ctx echo.Context, nodename api.InPathNodeName) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_system_san_path.go b/daemon/daemonapi/get_node_system_san_path.go
@@ -13,7 +13,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemSANPath(ctx echo.Context, nodename api.InPathNodeName) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_system_user.go b/daemon/daemonapi/get_node_system_user.go
@@ -13,7 +13,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemUser(ctx echo.Context, nodename api.InPathNodeName) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_nodes_info.go b/daemon/daemonapi/get_nodes_info.go
@@ -8,7 +8,7 @@ import (
 )
 
 func (a *DaemonAPI) GetNodesInfo(ctx echo.Context) error {
-	if _, err := assertRoot(ctx); err != nil {
+	if v, err := assertRoot(ctx); !v {
 		return err
 	}
 	log := LogHandler(ctx, "GetNodesInfo")