[lxc-devel] [lxd/master] Network: Enforce RBAC permission manage-networks for managing networks
tomponline on Github
lxc-bot at linuxcontainers.org
Tue Sep 22 13:10:36 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 585 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200922/bdabb686/attachment.bin>
-------------- next part --------------
From b548f832080d329c0946b4d49dc7cff0f359199e Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Tue, 22 Sep 2020 14:08:11 +0100
Subject: [PATCH 1/2] lxd/daemon: Marks the feature argument as unused in
allowProjectPermission
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
lxd/daemon.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lxd/daemon.go b/lxd/daemon.go
index 171d0df966..03f30efcca 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -220,7 +220,7 @@ func allowAuthenticated(d *Daemon, r *http.Request) response.Response {
}
// allowProjectPermission is a wrapper to check access against the project, its features and RBAC permission
-func allowProjectPermission(feature string, permission string) func(d *Daemon, r *http.Request) response.Response {
+func allowProjectPermission(_ string, permission string) func(d *Daemon, r *http.Request) response.Response {
return func(d *Daemon, r *http.Request) response.Response {
// Shortcut for speed
if d.userIsAdmin(r) {
From 3696e9d25c38157ef84273bf43b0b22b653dd05b Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Tue, 22 Sep 2020 14:08:50 +0100
Subject: [PATCH 2/2] lxd/networks: Enforces manage-networks RBAC permission
for managing networks
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
lxd/networks.go | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/lxd/networks.go b/lxd/networks.go
index e53e5bf088..6ad662a834 100644
--- a/lxd/networks.go
+++ b/lxd/networks.go
@@ -40,7 +40,7 @@ var networksCmd = APIEndpoint{
Path: "networks",
Get: APIEndpointAction{Handler: networksGet, AccessHandler: allowAuthenticated},
- Post: APIEndpointAction{Handler: networksPost},
+ Post: APIEndpointAction{Handler: networksPost, AccessHandler: allowProjectPermission("networks", "manage-networks")},
}
var networkCmd = APIEndpoint{
@@ -48,9 +48,9 @@ var networkCmd = APIEndpoint{
Delete: APIEndpointAction{Handler: networkDelete},
Get: APIEndpointAction{Handler: networkGet, AccessHandler: allowAuthenticated},
- Patch: APIEndpointAction{Handler: networkPatch},
- Post: APIEndpointAction{Handler: networkPost},
- Put: APIEndpointAction{Handler: networkPut},
+ Patch: APIEndpointAction{Handler: networkPatch, AccessHandler: allowProjectPermission("networks", "manage-networks")},
+ Post: APIEndpointAction{Handler: networkPost, AccessHandler: allowProjectPermission("networks", "manage-networks")},
+ Put: APIEndpointAction{Handler: networkPut, AccessHandler: allowProjectPermission("networks", "manage-networks")},
}
var networkLeasesCmd = APIEndpoint{
More information about the lxc-devel
mailing list