[lxc-devel] [lxd/master] API: Storage volumes permission check

tomponline on Github lxc-bot at linuxcontainers.org
Thu Mar 5 16:19:12 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200305/1cb9d2a0/attachment.bin>
-------------- next part --------------
From 2c1948bf07d4a0f84175ace7cf039507c72dd4e7 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Thu, 5 Mar 2020 16:16:14 +0000
Subject: [PATCH 1/2] lxc/storage/volumes: Adds API permission check for
 permission "manage-storage-volumes"

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 lxd/storage_volumes.go          | 48 ++++++++++++++++-----------------
 lxd/storage_volumes_snapshot.go | 12 ++++-----
 2 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/lxd/storage_volumes.go b/lxd/storage_volumes.go
index 1c5a63db55..0c7942416d 100644
--- a/lxd/storage_volumes.go
+++ b/lxd/storage_volumes.go
@@ -28,55 +28,55 @@ import (
 var storagePoolVolumesCmd = APIEndpoint{
 	Path: "storage-pools/{name}/volumes",
 
-	Get:  APIEndpointAction{Handler: storagePoolVolumesGet, AccessHandler: AllowAuthenticated},
-	Post: APIEndpointAction{Handler: storagePoolVolumesPost},
+	Get:  APIEndpointAction{Handler: storagePoolVolumesGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Post: APIEndpointAction{Handler: storagePoolVolumesPost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
 }
 
 var storagePoolVolumesTypeCmd = APIEndpoint{
 	Path: "storage-pools/{name}/volumes/{type}",
 
-	Get:  APIEndpointAction{Handler: storagePoolVolumesTypeGet, AccessHandler: AllowAuthenticated},
-	Post: APIEndpointAction{Handler: storagePoolVolumesTypePost},
+	Get:  APIEndpointAction{Handler: storagePoolVolumesTypeGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Post: APIEndpointAction{Handler: storagePoolVolumesTypePost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
 }
 
 var storagePoolVolumeTypeContainerCmd = APIEndpoint{
 	Path: "storage-pools/{pool}/volumes/container/{name:.*}",
 
-	Delete: APIEndpointAction{Handler: storagePoolVolumeTypeContainerDelete},
-	Get:    APIEndpointAction{Handler: storagePoolVolumeTypeContainerGet, AccessHandler: AllowAuthenticated},
-	Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeContainerPatch},
-	Post:   APIEndpointAction{Handler: storagePoolVolumeTypeContainerPost},
-	Put:    APIEndpointAction{Handler: storagePoolVolumeTypeContainerPut},
+	Delete: APIEndpointAction{Handler: storagePoolVolumeTypeContainerDelete, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Get:    APIEndpointAction{Handler: storagePoolVolumeTypeContainerGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeContainerPatch, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Post:   APIEndpointAction{Handler: storagePoolVolumeTypeContainerPost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Put:    APIEndpointAction{Handler: storagePoolVolumeTypeContainerPut, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
 }
 
 var storagePoolVolumeTypeVMCmd = APIEndpoint{
 	Path: "storage-pools/{pool}/volumes/virtual-machine/{name:.*}",
 
-	Delete: APIEndpointAction{Handler: storagePoolVolumeTypeVMDelete},
-	Get:    APIEndpointAction{Handler: storagePoolVolumeTypeVMGet, AccessHandler: AllowAuthenticated},
-	Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeVMPatch},
-	Post:   APIEndpointAction{Handler: storagePoolVolumeTypeVMPost},
-	Put:    APIEndpointAction{Handler: storagePoolVolumeTypeVMPut},
+	Delete: APIEndpointAction{Handler: storagePoolVolumeTypeVMDelete, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Get:    APIEndpointAction{Handler: storagePoolVolumeTypeVMGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeVMPatch, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Post:   APIEndpointAction{Handler: storagePoolVolumeTypeVMPost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Put:    APIEndpointAction{Handler: storagePoolVolumeTypeVMPut, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
 }
 
 var storagePoolVolumeTypeCustomCmd = APIEndpoint{
 	Path: "storage-pools/{pool}/volumes/custom/{name}",
 
-	Delete: APIEndpointAction{Handler: storagePoolVolumeTypeCustomDelete},
-	Get:    APIEndpointAction{Handler: storagePoolVolumeTypeCustomGet, AccessHandler: AllowAuthenticated},
-	Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeCustomPatch},
-	Post:   APIEndpointAction{Handler: storagePoolVolumeTypeCustomPost},
-	Put:    APIEndpointAction{Handler: storagePoolVolumeTypeCustomPut},
+	Delete: APIEndpointAction{Handler: storagePoolVolumeTypeCustomDelete, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Get:    APIEndpointAction{Handler: storagePoolVolumeTypeCustomGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeCustomPatch, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Post:   APIEndpointAction{Handler: storagePoolVolumeTypeCustomPost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Put:    APIEndpointAction{Handler: storagePoolVolumeTypeCustomPut, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
 }
 
 var storagePoolVolumeTypeImageCmd = APIEndpoint{
 	Path: "storage-pools/{pool}/volumes/image/{name}",
 
-	Delete: APIEndpointAction{Handler: storagePoolVolumeTypeImageDelete},
-	Get:    APIEndpointAction{Handler: storagePoolVolumeTypeImageGet, AccessHandler: AllowAuthenticated},
-	Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeImagePatch},
-	Post:   APIEndpointAction{Handler: storagePoolVolumeTypeImagePost},
-	Put:    APIEndpointAction{Handler: storagePoolVolumeTypeImagePut},
+	Delete: APIEndpointAction{Handler: storagePoolVolumeTypeImageDelete, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Get:    APIEndpointAction{Handler: storagePoolVolumeTypeImageGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeImagePatch, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Post:   APIEndpointAction{Handler: storagePoolVolumeTypeImagePost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Put:    APIEndpointAction{Handler: storagePoolVolumeTypeImagePut, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
 }
 
 // /1.0/storage-pools/{name}/volumes
diff --git a/lxd/storage_volumes_snapshot.go b/lxd/storage_volumes_snapshot.go
index dca4382915..54c4a4c413 100644
--- a/lxd/storage_volumes_snapshot.go
+++ b/lxd/storage_volumes_snapshot.go
@@ -21,17 +21,17 @@ import (
 var storagePoolVolumeSnapshotsTypeCmd = APIEndpoint{
 	Path: "storage-pools/{pool}/volumes/{type}/{name}/snapshots",
 
-	Get:  APIEndpointAction{Handler: storagePoolVolumeSnapshotsTypeGet, AccessHandler: AllowAuthenticated},
-	Post: APIEndpointAction{Handler: storagePoolVolumeSnapshotsTypePost},
+	Get:  APIEndpointAction{Handler: storagePoolVolumeSnapshotsTypeGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Post: APIEndpointAction{Handler: storagePoolVolumeSnapshotsTypePost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
 }
 
 var storagePoolVolumeSnapshotTypeCmd = APIEndpoint{
 	Path: "storage-pools/{pool}/volumes/{type}/{name}/snapshots/{snapshotName}",
 
-	Delete: APIEndpointAction{Handler: storagePoolVolumeSnapshotTypeDelete},
-	Get:    APIEndpointAction{Handler: storagePoolVolumeSnapshotTypeGet, AccessHandler: AllowAuthenticated},
-	Post:   APIEndpointAction{Handler: storagePoolVolumeSnapshotTypePost},
-	Put:    APIEndpointAction{Handler: storagePoolVolumeSnapshotTypePut},
+	Delete: APIEndpointAction{Handler: storagePoolVolumeSnapshotTypeDelete, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Get:    APIEndpointAction{Handler: storagePoolVolumeSnapshotTypeGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Post:   APIEndpointAction{Handler: storagePoolVolumeSnapshotTypePost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+	Put:    APIEndpointAction{Handler: storagePoolVolumeSnapshotTypePut, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
 }
 
 func storagePoolVolumeSnapshotsTypePost(d *Daemon, r *http.Request) response.Response {

From 4d7376d770d5daabd4a70604824aa4833e2f4b0d Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Thu, 5 Mar 2020 16:06:15 +0000
Subject: [PATCH 2/2] lxd/daemon: Adds comment to AllowAuthenticated

To explain the apparent briefness of this function.

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 lxd/daemon.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lxd/daemon.go b/lxd/daemon.go
index 68931fe677..571e0ead5b 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -201,7 +201,10 @@ type APIEndpointAction struct {
 	AllowUntrusted bool
 }
 
-// AllowAuthenticated is a AccessHandler which allows all requests
+// AllowAuthenticated is a AccessHandler which allows all requests.
+// This function doesn't do anything itself, except return the EmptySyncResponse that allows the request to
+// proceed. However in order to access any API route you must be authenticated, unless the handler's AllowUntrusted
+// property is set to true or you are an admin.
 func AllowAuthenticated(d *Daemon, r *http.Request) response.Response {
 	return response.EmptySyncResponse
 }

More information about the lxc-devel mailing list