[lxc-devel] [lxd/master] lxd/rbac: Fix auth for non-RBAC trusted clients

stgraber on Github lxc-bot at linuxcontainers.org
Wed Jun 3 19:08:18 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200603/12d0f731/attachment.bin>
-------------- next part --------------
From 3af43f2522e3c5004c96ce2e2a860863ea456a6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 3 Jun 2020 15:08:01 -0400
Subject: [PATCH] lxd/rbac: Fix auth for non-RBAC trusted clients
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/daemon.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lxd/daemon.go b/lxd/daemon.go
index 0655b0bc98..30357daddf 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -416,7 +416,7 @@ func (d *Daemon) createCmd(restAPI *mux.Router, version string, c APIEndpoint) {
 		untrustedOk := (r.Method == "GET" && c.Get.AllowUntrusted) || (r.Method == "POST" && c.Post.AllowUntrusted)
 		if trusted {
 			logger.Debug("Handling", log.Ctx{"method": r.Method, "url": r.URL.RequestURI(), "ip": r.RemoteAddr, "user": username})
-			r = r.WithContext(context.WithValue(r.Context(), "username", username))
+			r = r.WithContext(context.WithValue(context.WithValue(r.Context(), "username", username), "protocol", protocol))
 		} else if untrustedOk && r.Header.Get("X-LXD-authenticated") == "" {
 			logger.Debug(fmt.Sprintf("Allowing untrusted %s", r.Method), log.Ctx{"url": r.URL.RequestURI(), "ip": r.RemoteAddr})
 		} else if derr, ok := err.(*bakery.DischargeRequiredError); ok {
@@ -1369,6 +1369,10 @@ func (d *Daemon) userIsAdmin(r *http.Request) bool {
 		return true
 	}
 
+	if r.Context().Value("protocol") == "tls" {
+		return true
+	}
+
 	return d.rbac.IsAdmin(r.Context().Value("username").(string))
 }
 
@@ -1377,6 +1381,10 @@ func (d *Daemon) userHasPermission(r *http.Request, project string, permission s
 		return true
 	}
 
+	if r.Context().Value("protocol") == "tls" {
+		return true
+	}
+
 	return d.rbac.HasPermission(r.Context().Value("username").(string), project, permission)
 }

More information about the lxc-devel mailing list