[lxc-devel] [lxd/master] lxd/rbac: Filter storage UsedBy
stgraber on Github
lxc-bot at linuxcontainers.org
Sat Nov 28 01:34:06 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20201127/65073d20/attachment.bin>
-------------- next part --------------
From be0e76b98c2fadcbd9dc09d34a05c3e6e3707da5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Fri, 27 Nov 2020 20:33:51 -0500
Subject: [PATCH] lxd/rbac: Filter storage UsedBy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/storage_pools.go | 4 ++--
lxd/storage_pools_utils.go | 30 ++++++++++++++++++++++++++++++
2 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/lxd/storage_pools.go b/lxd/storage_pools.go
index 2e3631e676..d7dd919474 100644
--- a/lxd/storage_pools.go
+++ b/lxd/storage_pools.go
@@ -70,7 +70,7 @@ func storagePoolsGet(d *Daemon, r *http.Request) response.Response {
if err != nil {
return response.SmartError(err)
}
- pl.UsedBy = poolUsedBy
+ pl.UsedBy = filterUsedBy(d, r, poolUsedBy)
resultMap = append(resultMap, *pl)
}
@@ -332,7 +332,7 @@ func storagePoolGet(d *Daemon, r *http.Request) response.Response {
if err != nil {
return response.SmartError(err)
}
- pool.UsedBy = poolUsedBy
+ pool.UsedBy = filterUsedBy(d, r, poolUsedBy)
targetNode := queryParam(r, "target")
diff --git a/lxd/storage_pools_utils.go b/lxd/storage_pools_utils.go
index 6ea29eb5c2..6bcf985a9a 100644
--- a/lxd/storage_pools_utils.go
+++ b/lxd/storage_pools_utils.go
@@ -2,9 +2,12 @@ package main
import (
"fmt"
+ "net/http"
+ "strings"
"github.com/pkg/errors"
+ "github.com/lxc/lxd/lxd/project"
"github.com/lxc/lxd/lxd/state"
storagePools "github.com/lxc/lxd/lxd/storage"
"github.com/lxc/lxd/shared"
@@ -183,3 +186,30 @@ func dbStoragePoolDeleteAndUpdateCache(s *state.State, poolName string) error {
return err
}
+
+// filterUsedBy filters a UsedBy list based on project access
+func filterUsedBy(d *Daemon, r *http.Request, entries []string) []string {
+ // Shortcut for admins and non-RBAC environments.
+ if d.userIsAdmin(r) {
+ return entries
+ }
+
+ // Filter the entries.
+ usedBy := []string{}
+ for _, entry := range entries {
+ projectName := project.Default
+ fields := strings.Split(entry, "?project=")
+ if len(fields) > 1 {
+ projectName = fields[len(fields)-1]
+ projectName = strings.Split(projectName, "&")[0]
+ }
+
+ if !d.userHasPermission(r, projectName, "view") {
+ continue
+ }
+
+ usedBy = append(usedBy, entry)
+ }
+
+ return usedBy
+}
More information about the lxc-devel
mailing list