Merge pull request #678 from cvaroqui/main

RBAC
opensvc · Jan 24, 2025 · c62306b · c62306b
2 parents a400417 + 0ff657a
commit c62306b
Show file tree

Hide file tree

Showing 136 changed files with 451 additions and 306 deletions.
diff --git a/daemon/daemonapi/delete_object_kvstore_entry.go b/daemon/daemonapi/delete_object_kvstore_entry.go
@@ -10,13 +10,12 @@ import (
 	"github.com/opensvc/om3/core/naming"
 	"github.com/opensvc/om3/core/object"
 	"github.com/opensvc/om3/daemon/api"
-	"github.com/opensvc/om3/daemon/rbac"
 )
 
 func (a *DaemonAPI) DeleteObjectKVStoreEntry(ctx echo.Context, namespace string, kind naming.Kind, name string, params api.DeleteObjectKVStoreEntryParams) error {
 	log := LogHandler(ctx, "DeleteObjectKVStoreEntry")
 
-	if v, err := assertGrant(ctx, rbac.NewGrant(rbac.RoleAdmin, namespace), rbac.GrantRoot); !v {
+	if v, err := assertAdmin(ctx, namespace); !v {
 		return err
 	}
 

diff --git a/daemon/daemonapi/get_cluster_config_file.go b/daemon/daemonapi/get_cluster_config_file.go
@@ -12,6 +12,9 @@ import (
 )
 
 func (a *DaemonAPI) GetClusterConfigFile(ctx echo.Context) error {
+	if v, err := assertRoot(ctx); !v {
+		return err
+	}
 	logName := "GetClusterConfigFile"
 	log := LogHandler(ctx, logName)
 	log.Debugf("%s: starting", logName)

diff --git a/daemon/daemonapi/get_daemon_events.go b/daemon/daemonapi/get_daemon_events.go
@@ -143,7 +143,7 @@ func (a *DaemonAPI) getPeerDaemonEvents(ctx echo.Context, nodename string, param
 
 // getLocalDaemonEvents handles streaming local daemon events based on provided filters, selectors, and parameters.
 func (a *DaemonAPI) getLocalDaemonEvents(ctx echo.Context, params api.GetDaemonEventsParams) error {
-	if v, err := assertRole(ctx, rbac.RoleRoot, rbac.RoleJoin, rbac.RoleLeave); err != nil {
+	if v, err := assertRole(ctx, rbac.RoleGuest, rbac.RoleOperator, rbac.RoleAdmin, rbac.RoleRoot, rbac.RoleJoin, rbac.RoleLeave); err != nil {
 		return err
 	} else if !v {
 		return nil
@@ -181,6 +181,9 @@ func (a *DaemonAPI) getLocalDaemonEvents(ctx echo.Context, params api.GetDaemonE
 		evCtx  = ctx.Request().Context()
 		cancel context.CancelFunc
 	)
+	hasRoot := grantsFromContext(ctx).HasRole(rbac.RoleRoot)
+	userGrants := grantsFromContext(ctx)
+
 	log := LogHandler(ctx, handlerName)
 	log.Debugf("starting")
 	defer log.Debugf("done")
@@ -208,6 +211,19 @@ func (a *DaemonAPI) getLocalDaemonEvents(ctx echo.Context, params api.GetDaemonE
 		return false
 	}
 
+	// isAllowed returns false if a message has a namespace label that
+	// doesn't match any of the user's guest grant.
+	isAllowed := func(msg pubsub.Messager) bool {
+		if hasRoot {
+			return true
+		}
+		labels := msg.GetLabels()
+		if namespace, ok := labels["namespace"]; ok {
+			return userGrants.Has(rbac.RoleGuest, namespace)
+		}
+		return true
+	}
+
 	// isSelected returns true when msg has path label that is selected or
 	// doesn't have a path label.
 	isSelected := func(msg pubsub.Messager) bool {
@@ -393,6 +409,11 @@ func (a *DaemonAPI) getLocalDaemonEvents(ctx echo.Context, params api.GetDaemonE
 		case <-evCtx.Done():
 			return nil
 		case i := <-sub.C:
+			if ev, ok := i.(pubsub.Messager); ok {
+				if !isAllowed(ev) {
+					continue
+				}
+			}
 			if hasSelector {
 				switch ev := i.(type) {
 				case *msgbus.ObjectCreated:

diff --git a/daemon/daemonapi/get_daemon_status.go b/daemon/daemonapi/get_daemon_status.go
@@ -30,6 +30,9 @@ var (
 //
 // Serve 2s cached data.
 func (a *DaemonAPI) GetDaemonStatus(ctx echo.Context, params api.GetDaemonStatusParams) error {
+	if v, err := assertRoot(ctx); !v {
+		return err
+	}
 	now := time.Now()
 	subRefreshed.Lock()
 	if now.After(subRefreshed.updated.Add(daemonRefreshInterval)) {

diff --git a/daemon/daemonapi/get_dns_dump.go b/daemon/daemonapi/get_dns_dump.go
@@ -10,5 +10,8 @@ import (
 
 // GetDNSDump returns the DNS zone content.
 func (a *DaemonAPI) GetDNSDump(ctx echo.Context) error {
+	if v, err := assertRoot(ctx); !v {
+		return err
+	}
 	return ctx.JSON(http.StatusOK, dns.GetZone())
 }
diff --git a/daemon/daemonapi/get_instance.go b/daemon/daemonapi/get_instance.go
@@ -31,6 +31,10 @@ func (a *DaemonAPI) GetInstances(ctx echo.Context, params api.GetInstancesParams
 		if !meta.HasNode(config.Node) {
 			continue
 		}
+		if _, err := assertGuest(ctx, config.Path.Namespace); err != nil {
+			continue
+		}
+
 		monitor := instance.MonitorData.GetByPathAndNode(config.Path, config.Node)
 		status := instance.StatusData.GetByPathAndNode(config.Path, config.Node)
 		d := api.InstanceItem{

diff --git a/daemon/daemonapi/get_instance_config_file.go b/daemon/daemonapi/get_instance_config_file.go
@@ -13,6 +13,9 @@ import (
 )
 
 func (a *DaemonAPI) GetInstanceConfigFile(ctx echo.Context, nodename, namespace string, kind naming.Kind, name string) error {
+	if _, err := assertGuest(ctx, namespace); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		logName := "GetInstanceConfigFile"
 		log := LogHandler(ctx, logName)

diff --git a/daemon/daemonapi/get_instance_resource_info.go b/daemon/daemonapi/get_instance_resource_info.go
@@ -15,6 +15,9 @@ import (
 )
 
 func (a *DaemonAPI) GetInstanceResourceInfo(ctx echo.Context, nodename, namespace string, kind naming.Kind, name string) error {
+	if _, err := assertGuest(ctx, namespace); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalInstanceResourceInfo(ctx, namespace, kind, name)
 	}

diff --git a/daemon/daemonapi/get_instance_schedule.go b/daemon/daemonapi/get_instance_schedule.go
@@ -11,6 +11,9 @@ import (
 )
 
 func (a *DaemonAPI) GetInstanceSchedule(ctx echo.Context, nodename, namespace string, kind naming.Kind, name string) error {
+	if _, err := assertGuest(ctx, namespace); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalInstanceSchedule(ctx, namespace, kind, name)
 	}

diff --git a/daemon/daemonapi/get_instances_logs.go b/daemon/daemonapi/get_instances_logs.go
@@ -10,6 +10,9 @@ import (
 )
 
 func (a *DaemonAPI) GetInstanceLogs(ctx echo.Context, nodename string, namespace string, kind naming.Kind, name string, params api.GetInstanceLogsParams) error {
+	if _, err := assertGuest(ctx, namespace); err != nil {
+		return err
+	}
 	p, err := naming.NewPath(namespace, kind, name)
 	if err != nil {
 		JSONProblemf(ctx, http.StatusBadRequest, "Invalid parameter", "%s", err)

diff --git a/daemon/daemonapi/get_network.go b/daemon/daemonapi/get_network.go
@@ -13,6 +13,9 @@ import (
 
 // GetNetworks returns network status list.
 func (a *DaemonAPI) GetNetworks(ctx echo.Context, params api.GetNetworksParams) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	var items api.NetworkItems
 	n, err := object.NewNode(object.WithVolatile(true))
 	if err != nil {

diff --git a/daemon/daemonapi/get_network_ip.go b/daemon/daemonapi/get_network_ip.go
@@ -40,6 +40,9 @@ func GetClusterIPs() clusterip.L {
 
 // GetNetworkIP returns network status list.
 func (a *DaemonAPI) GetNetworkIP(ctx echo.Context, params api.GetNetworkIPParams) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	n, err := object.NewNode(object.WithVolatile(true))
 	if err != nil {
 		return JSONProblemf(ctx, http.StatusInternalServerError, "Failed to allocate a new object.Node", fmt.Sprint(err))

diff --git a/daemon/daemonapi/get_node.go b/daemon/daemonapi/get_node.go
@@ -10,6 +10,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodes(ctx echo.Context, params api.GetNodesParams) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	meta := Meta{
 		Context: ctx,
 		Node:    params.Node,

diff --git a/daemon/daemonapi/get_node_capabilities.go b/daemon/daemonapi/get_node_capabilities.go
@@ -11,6 +11,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeCapabilities(ctx echo.Context, nodename string) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalCapabilities(ctx)
 	}

diff --git a/daemon/daemonapi/get_node_config.go b/daemon/daemonapi/get_node_config.go
@@ -14,6 +14,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeConfig(ctx echo.Context, nodename string, params api.GetNodeConfigParams) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.GetLocalNodeConfig(ctx, nodename, params)
 	}

diff --git a/daemon/daemonapi/get_node_config_file.go b/daemon/daemonapi/get_node_config_file.go
@@ -9,12 +9,11 @@ import (
 	"github.com/opensvc/om3/core/client"
 	"github.com/opensvc/om3/core/rawconfig"
 	"github.com/opensvc/om3/daemon/api"
-	"github.com/opensvc/om3/daemon/rbac"
 	"github.com/opensvc/om3/util/file"
 )
 
 func (a *DaemonAPI) GetNodeConfigFile(ctx echo.Context, nodename string) error {
-	if v, err := assertRole(ctx, rbac.RoleRoot); !v {
+	if _, err := assertRoot(ctx); err != nil {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_config_get.go b/daemon/daemonapi/get_node_config_get.go
@@ -8,14 +8,13 @@ import (
 	"github.com/opensvc/om3/core/clusternode"
 	"github.com/opensvc/om3/core/object"
 	"github.com/opensvc/om3/daemon/api"
-	"github.com/opensvc/om3/daemon/rbac"
 	"github.com/opensvc/om3/util/key"
 )
 
 func (a *DaemonAPI) GetNodeConfigGet(ctx echo.Context, nodename string, params api.GetNodeConfigGetParams) error {
 	//log := LogHandler(ctx, "GetNodeConfigGet")
 
-	if v, err := assertGrant(ctx, rbac.GrantRoot); !v {
+	if _, err := assertRoot(ctx); err != nil {
 		return err
 	}
 

diff --git a/daemon/daemonapi/get_node_drbd_allocation.go b/daemon/daemonapi/get_node_drbd_allocation.go
@@ -10,7 +10,6 @@ import (
 
 	"github.com/opensvc/om3/core/client"
 	"github.com/opensvc/om3/daemon/api"
-	"github.com/opensvc/om3/daemon/rbac"
 	"github.com/opensvc/om3/util/drbd"
 )
 
@@ -75,7 +74,7 @@ func init() {
 }
 
 func (a *DaemonAPI) GetNodeDRBDAllocation(ctx echo.Context, nodename string) error {
-	if v, err := assertGrant(ctx, rbac.GrantRoot); !v {
+	if _, err := assertRoot(ctx); err != nil {
 		return err
 	}
 	if a.localhost == nodename {

diff --git a/daemon/daemonapi/get_node_drbd_config.go b/daemon/daemonapi/get_node_drbd_config.go
@@ -10,19 +10,18 @@ import (
 
 	"github.com/opensvc/om3/core/client"
 	"github.com/opensvc/om3/daemon/api"
-	"github.com/opensvc/om3/daemon/rbac"
 )
 
 func (a *DaemonAPI) GetNodeDRBDConfig(ctx echo.Context, nodename string, params api.GetNodeDRBDConfigParams) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	log := LogHandler(ctx, "GetNodeDRBDConfig")
 	log.Debugf("starting")
 	if params.Name == "" {
 		log.Warnf("invalid file name: %s", params.Name)
 		return JSONProblemf(ctx, http.StatusBadRequest, "Invalid parameter", "invalid file name: %s", params.Name)
 	}
-	if v, err := assertGrant(ctx, rbac.GrantRoot); !v {
-		return err
-	}
 	if a.localhost == nodename {
 		return a.getLocalDRBDConfig(ctx, params)
 	}

diff --git a/daemon/daemonapi/get_node_drivers.go b/daemon/daemonapi/get_node_drivers.go
@@ -12,6 +12,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeDriver(ctx echo.Context, nodename api.InPathNodeName) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalNodeDriver(ctx)
 	}

diff --git a/daemon/daemonapi/get_node_logs.go b/daemon/daemonapi/get_node_logs.go
@@ -20,6 +20,9 @@ import (
 
 // GetNodeLogs feeds publications in rss format.
 func (a *DaemonAPI) GetNodeLogs(ctx echo.Context, nodename string, params api.GetNodeLogsParams) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if nodename == a.localhost || nodename == "localhost" {
 		return a.getLocalNodeLogs(ctx, params)
 	} else if !clusternode.Has(nodename) {

diff --git a/daemon/daemonapi/get_node_ping.go b/daemon/daemonapi/get_node_ping.go
@@ -10,6 +10,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodePing(ctx echo.Context, nodename api.InPathNodeName) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalNodePing(ctx)
 	}

diff --git a/daemon/daemonapi/get_node_schedule.go b/daemon/daemonapi/get_node_schedule.go
@@ -12,6 +12,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSchedule(ctx echo.Context, nodename string) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalSchedule(ctx)
 	}

diff --git a/daemon/daemonapi/get_node_ssh_hostkeys.go b/daemon/daemonapi/get_node_ssh_hostkeys.go
@@ -13,6 +13,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSSHHostkeys(ctx echo.Context, nodename string) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalSSHHostkeys(ctx)
 	}

diff --git a/daemon/daemonapi/get_node_ssh_key.go b/daemon/daemonapi/get_node_ssh_key.go
@@ -17,6 +17,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSSHKey(ctx echo.Context, nodename string) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalSSHKey(ctx)
 	}

diff --git a/daemon/daemonapi/get_node_system_disk.go b/daemon/daemonapi/get_node_system_disk.go
@@ -13,6 +13,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemDisk(ctx echo.Context, nodename api.InPathNodeName) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalNodeSystemDisk(ctx)
 	}

diff --git a/daemon/daemonapi/get_node_system_group.go b/daemon/daemonapi/get_node_system_group.go
@@ -13,6 +13,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemGroup(ctx echo.Context, nodename api.InPathNodeName) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalNodeSystemGroup(ctx)
 	}

diff --git a/daemon/daemonapi/get_node_system_hardware.go b/daemon/daemonapi/get_node_system_hardware.go
@@ -13,6 +13,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemHardware(ctx echo.Context, nodename api.InPathNodeName) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalNodeSystemHardware(ctx)
 	}

diff --git a/daemon/daemonapi/get_node_system_ipaddress.go b/daemon/daemonapi/get_node_system_ipaddress.go
@@ -13,6 +13,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemIPAddress(ctx echo.Context, nodename api.InPathNodeName) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalNodeSystemIPAddress(ctx)
 	}

diff --git a/daemon/daemonapi/get_node_system_package.go b/daemon/daemonapi/get_node_system_package.go
@@ -13,6 +13,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemPackage(ctx echo.Context, nodename api.InPathNodeName) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalNodeSystemPackage(ctx)
 	}

diff --git a/daemon/daemonapi/get_node_system_patch.go b/daemon/daemonapi/get_node_system_patch.go
@@ -13,6 +13,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemPatch(ctx echo.Context, nodename api.InPathNodeName) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalNodeSystemPatch(ctx)
 	}

diff --git a/daemon/daemonapi/get_node_system_property.go b/daemon/daemonapi/get_node_system_property.go
@@ -13,6 +13,9 @@ import (
 )
 
 func (a *DaemonAPI) GetNodeSystemProperty(ctx echo.Context, nodename api.InPathNodeName) error {
+	if _, err := assertRoot(ctx); err != nil {
+		return err
+	}
 	if a.localhost == nodename {
 		return a.getLocalNodeSystemProperty(ctx)
 	}