[lxc-devel] [lxd/master] API: Storage volumes permission check
tomponline on Github
lxc-bot at linuxcontainers.org
Thu Mar 5 16:19:12 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200305/1cb9d2a0/attachment.bin>
-------------- next part --------------
From 2c1948bf07d4a0f84175ace7cf039507c72dd4e7 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Thu, 5 Mar 2020 16:16:14 +0000
Subject: [PATCH 1/2] lxc/storage/volumes: Adds API permission check for
permission "manage-storage-volumes"
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
lxd/storage_volumes.go | 48 ++++++++++++++++-----------------
lxd/storage_volumes_snapshot.go | 12 ++++-----
2 files changed, 30 insertions(+), 30 deletions(-)
diff --git a/lxd/storage_volumes.go b/lxd/storage_volumes.go
index 1c5a63db55..0c7942416d 100644
--- a/lxd/storage_volumes.go
+++ b/lxd/storage_volumes.go
@@ -28,55 +28,55 @@ import (
var storagePoolVolumesCmd = APIEndpoint{
Path: "storage-pools/{name}/volumes",
- Get: APIEndpointAction{Handler: storagePoolVolumesGet, AccessHandler: AllowAuthenticated},
- Post: APIEndpointAction{Handler: storagePoolVolumesPost},
+ Get: APIEndpointAction{Handler: storagePoolVolumesGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Post: APIEndpointAction{Handler: storagePoolVolumesPost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
}
var storagePoolVolumesTypeCmd = APIEndpoint{
Path: "storage-pools/{name}/volumes/{type}",
- Get: APIEndpointAction{Handler: storagePoolVolumesTypeGet, AccessHandler: AllowAuthenticated},
- Post: APIEndpointAction{Handler: storagePoolVolumesTypePost},
+ Get: APIEndpointAction{Handler: storagePoolVolumesTypeGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Post: APIEndpointAction{Handler: storagePoolVolumesTypePost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
}
var storagePoolVolumeTypeContainerCmd = APIEndpoint{
Path: "storage-pools/{pool}/volumes/container/{name:.*}",
- Delete: APIEndpointAction{Handler: storagePoolVolumeTypeContainerDelete},
- Get: APIEndpointAction{Handler: storagePoolVolumeTypeContainerGet, AccessHandler: AllowAuthenticated},
- Patch: APIEndpointAction{Handler: storagePoolVolumeTypeContainerPatch},
- Post: APIEndpointAction{Handler: storagePoolVolumeTypeContainerPost},
- Put: APIEndpointAction{Handler: storagePoolVolumeTypeContainerPut},
+ Delete: APIEndpointAction{Handler: storagePoolVolumeTypeContainerDelete, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Get: APIEndpointAction{Handler: storagePoolVolumeTypeContainerGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Patch: APIEndpointAction{Handler: storagePoolVolumeTypeContainerPatch, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Post: APIEndpointAction{Handler: storagePoolVolumeTypeContainerPost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Put: APIEndpointAction{Handler: storagePoolVolumeTypeContainerPut, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
}
var storagePoolVolumeTypeVMCmd = APIEndpoint{
Path: "storage-pools/{pool}/volumes/virtual-machine/{name:.*}",
- Delete: APIEndpointAction{Handler: storagePoolVolumeTypeVMDelete},
- Get: APIEndpointAction{Handler: storagePoolVolumeTypeVMGet, AccessHandler: AllowAuthenticated},
- Patch: APIEndpointAction{Handler: storagePoolVolumeTypeVMPatch},
- Post: APIEndpointAction{Handler: storagePoolVolumeTypeVMPost},
- Put: APIEndpointAction{Handler: storagePoolVolumeTypeVMPut},
+ Delete: APIEndpointAction{Handler: storagePoolVolumeTypeVMDelete, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Get: APIEndpointAction{Handler: storagePoolVolumeTypeVMGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Patch: APIEndpointAction{Handler: storagePoolVolumeTypeVMPatch, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Post: APIEndpointAction{Handler: storagePoolVolumeTypeVMPost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Put: APIEndpointAction{Handler: storagePoolVolumeTypeVMPut, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
}
var storagePoolVolumeTypeCustomCmd = APIEndpoint{
Path: "storage-pools/{pool}/volumes/custom/{name}",
- Delete: APIEndpointAction{Handler: storagePoolVolumeTypeCustomDelete},
- Get: APIEndpointAction{Handler: storagePoolVolumeTypeCustomGet, AccessHandler: AllowAuthenticated},
- Patch: APIEndpointAction{Handler: storagePoolVolumeTypeCustomPatch},
- Post: APIEndpointAction{Handler: storagePoolVolumeTypeCustomPost},
- Put: APIEndpointAction{Handler: storagePoolVolumeTypeCustomPut},
+ Delete: APIEndpointAction{Handler: storagePoolVolumeTypeCustomDelete, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Get: APIEndpointAction{Handler: storagePoolVolumeTypeCustomGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Patch: APIEndpointAction{Handler: storagePoolVolumeTypeCustomPatch, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Post: APIEndpointAction{Handler: storagePoolVolumeTypeCustomPost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Put: APIEndpointAction{Handler: storagePoolVolumeTypeCustomPut, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
}
var storagePoolVolumeTypeImageCmd = APIEndpoint{
Path: "storage-pools/{pool}/volumes/image/{name}",
- Delete: APIEndpointAction{Handler: storagePoolVolumeTypeImageDelete},
- Get: APIEndpointAction{Handler: storagePoolVolumeTypeImageGet, AccessHandler: AllowAuthenticated},
- Patch: APIEndpointAction{Handler: storagePoolVolumeTypeImagePatch},
- Post: APIEndpointAction{Handler: storagePoolVolumeTypeImagePost},
- Put: APIEndpointAction{Handler: storagePoolVolumeTypeImagePut},
+ Delete: APIEndpointAction{Handler: storagePoolVolumeTypeImageDelete, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Get: APIEndpointAction{Handler: storagePoolVolumeTypeImageGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Patch: APIEndpointAction{Handler: storagePoolVolumeTypeImagePatch, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Post: APIEndpointAction{Handler: storagePoolVolumeTypeImagePost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Put: APIEndpointAction{Handler: storagePoolVolumeTypeImagePut, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
}
// /1.0/storage-pools/{name}/volumes
diff --git a/lxd/storage_volumes_snapshot.go b/lxd/storage_volumes_snapshot.go
index dca4382915..54c4a4c413 100644
--- a/lxd/storage_volumes_snapshot.go
+++ b/lxd/storage_volumes_snapshot.go
@@ -21,17 +21,17 @@ import (
var storagePoolVolumeSnapshotsTypeCmd = APIEndpoint{
Path: "storage-pools/{pool}/volumes/{type}/{name}/snapshots",
- Get: APIEndpointAction{Handler: storagePoolVolumeSnapshotsTypeGet, AccessHandler: AllowAuthenticated},
- Post: APIEndpointAction{Handler: storagePoolVolumeSnapshotsTypePost},
+ Get: APIEndpointAction{Handler: storagePoolVolumeSnapshotsTypeGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Post: APIEndpointAction{Handler: storagePoolVolumeSnapshotsTypePost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
}
var storagePoolVolumeSnapshotTypeCmd = APIEndpoint{
Path: "storage-pools/{pool}/volumes/{type}/{name}/snapshots/{snapshotName}",
- Delete: APIEndpointAction{Handler: storagePoolVolumeSnapshotTypeDelete},
- Get: APIEndpointAction{Handler: storagePoolVolumeSnapshotTypeGet, AccessHandler: AllowAuthenticated},
- Post: APIEndpointAction{Handler: storagePoolVolumeSnapshotTypePost},
- Put: APIEndpointAction{Handler: storagePoolVolumeSnapshotTypePut},
+ Delete: APIEndpointAction{Handler: storagePoolVolumeSnapshotTypeDelete, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Get: APIEndpointAction{Handler: storagePoolVolumeSnapshotTypeGet, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Post: APIEndpointAction{Handler: storagePoolVolumeSnapshotTypePost, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+ Put: APIEndpointAction{Handler: storagePoolVolumeSnapshotTypePut, AccessHandler: AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
}
func storagePoolVolumeSnapshotsTypePost(d *Daemon, r *http.Request) response.Response {
From 4d7376d770d5daabd4a70604824aa4833e2f4b0d Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Thu, 5 Mar 2020 16:06:15 +0000
Subject: [PATCH 2/2] lxd/daemon: Adds comment to AllowAuthenticated
To explain the apparent briefness of this function.
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
lxd/daemon.go | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lxd/daemon.go b/lxd/daemon.go
index 68931fe677..571e0ead5b 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -201,7 +201,10 @@ type APIEndpointAction struct {
AllowUntrusted bool
}
-// AllowAuthenticated is a AccessHandler which allows all requests
+// AllowAuthenticated is a AccessHandler which allows all requests.
+// This function doesn't do anything itself, except return the EmptySyncResponse that allows the request to
+// proceed. However in order to access any API route you must be authenticated, unless the handler's AllowUntrusted
+// property is set to true or you are an admin.
func AllowAuthenticated(d *Daemon, r *http.Request) response.Response {
return response.EmptySyncResponse
}
More information about the lxc-devel
mailing list