[lxc-devel] [lxd/master] lxd/rbac: Filter storage UsedBy

stgraber on Github lxc-bot at linuxcontainers.org
Sat Nov 28 01:34:06 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20201127/65073d20/attachment.bin>
-------------- next part --------------
From be0e76b98c2fadcbd9dc09d34a05c3e6e3707da5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Fri, 27 Nov 2020 20:33:51 -0500
Subject: [PATCH] lxd/rbac: Filter storage UsedBy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/storage_pools.go       |  4 ++--
 lxd/storage_pools_utils.go | 30 ++++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/lxd/storage_pools.go b/lxd/storage_pools.go
index 2e3631e676..d7dd919474 100644
--- a/lxd/storage_pools.go
+++ b/lxd/storage_pools.go
@@ -70,7 +70,7 @@ func storagePoolsGet(d *Daemon, r *http.Request) response.Response {
 			if err != nil {
 				return response.SmartError(err)
 			}
-			pl.UsedBy = poolUsedBy
+			pl.UsedBy = filterUsedBy(d, r, poolUsedBy)
 
 			resultMap = append(resultMap, *pl)
 		}
@@ -332,7 +332,7 @@ func storagePoolGet(d *Daemon, r *http.Request) response.Response {
 	if err != nil {
 		return response.SmartError(err)
 	}
-	pool.UsedBy = poolUsedBy
+	pool.UsedBy = filterUsedBy(d, r, poolUsedBy)
 
 	targetNode := queryParam(r, "target")
 
diff --git a/lxd/storage_pools_utils.go b/lxd/storage_pools_utils.go
index 6ea29eb5c2..6bcf985a9a 100644
--- a/lxd/storage_pools_utils.go
+++ b/lxd/storage_pools_utils.go
@@ -2,9 +2,12 @@ package main
 
 import (
 	"fmt"
+	"net/http"
+	"strings"
 
 	"github.com/pkg/errors"
 
+	"github.com/lxc/lxd/lxd/project"
 	"github.com/lxc/lxd/lxd/state"
 	storagePools "github.com/lxc/lxd/lxd/storage"
 	"github.com/lxc/lxd/shared"
@@ -183,3 +186,30 @@ func dbStoragePoolDeleteAndUpdateCache(s *state.State, poolName string) error {
 
 	return err
 }
+
+// filterUsedBy filters a UsedBy list based on project access
+func filterUsedBy(d *Daemon, r *http.Request, entries []string) []string {
+	// Shortcut for admins and non-RBAC environments.
+	if d.userIsAdmin(r) {
+		return entries
+	}
+
+	// Filter the entries.
+	usedBy := []string{}
+	for _, entry := range entries {
+		projectName := project.Default
+		fields := strings.Split(entry, "?project=")
+		if len(fields) > 1 {
+			projectName = fields[len(fields)-1]
+			projectName = strings.Split(projectName, "&")[0]
+		}
+
+		if !d.userHasPermission(r, projectName, "view") {
+			continue
+		}
+
+		usedBy = append(usedBy, entry)
+	}
+
+	return usedBy
+}

More information about the lxc-devel mailing list