[lxc-devel] [lxd/master] lxd/rbac: Fix auth for non-RBAC trusted clients
stgraber on Github
lxc-bot at linuxcontainers.org
Wed Jun 3 19:08:18 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200603/12d0f731/attachment.bin>
-------------- next part --------------
From 3af43f2522e3c5004c96ce2e2a860863ea456a6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 3 Jun 2020 15:08:01 -0400
Subject: [PATCH] lxd/rbac: Fix auth for non-RBAC trusted clients
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/daemon.go | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/lxd/daemon.go b/lxd/daemon.go
index 0655b0bc98..30357daddf 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -416,7 +416,7 @@ func (d *Daemon) createCmd(restAPI *mux.Router, version string, c APIEndpoint) {
untrustedOk := (r.Method == "GET" && c.Get.AllowUntrusted) || (r.Method == "POST" && c.Post.AllowUntrusted)
if trusted {
logger.Debug("Handling", log.Ctx{"method": r.Method, "url": r.URL.RequestURI(), "ip": r.RemoteAddr, "user": username})
- r = r.WithContext(context.WithValue(r.Context(), "username", username))
+ r = r.WithContext(context.WithValue(context.WithValue(r.Context(), "username", username), "protocol", protocol))
} else if untrustedOk && r.Header.Get("X-LXD-authenticated") == "" {
logger.Debug(fmt.Sprintf("Allowing untrusted %s", r.Method), log.Ctx{"url": r.URL.RequestURI(), "ip": r.RemoteAddr})
} else if derr, ok := err.(*bakery.DischargeRequiredError); ok {
@@ -1369,6 +1369,10 @@ func (d *Daemon) userIsAdmin(r *http.Request) bool {
return true
}
+ if r.Context().Value("protocol") == "tls" {
+ return true
+ }
+
return d.rbac.IsAdmin(r.Context().Value("username").(string))
}
@@ -1377,6 +1381,10 @@ func (d *Daemon) userHasPermission(r *http.Request, project string, permission s
return true
}
+ if r.Context().Value("protocol") == "tls" {
+ return true
+ }
+
return d.rbac.HasPermission(r.Context().Value("username").(string), project, permission)
}
More information about the lxc-devel
mailing list