[lxc-devel] [lxd/master] API: Storage volumes permission check

tomponline on Github Thu, 05 Mar 2020 08:20:09 -0800

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6989


This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===

From 2c1948bf07d4a0f84175ace7cf039507c72dd4e7 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parr...@canonical.com>
Date: Thu, 5 Mar 2020 16:16:14 +0000
Subject: [PATCH 1/2] lxc/storage/volumes: Adds API permission check for
 permission "manage-storage-volumes"

Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
---
 lxd/storage_volumes.go          | 48 ++++++++++++++++-----------------
 lxd/storage_volumes_snapshot.go | 12 ++++-----
 2 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/lxd/storage_volumes.go b/lxd/storage_volumes.go
index 1c5a63db55..0c7942416d 100644
--- a/lxd/storage_volumes.go
+++ b/lxd/storage_volumes.go
@@ -28,55 +28,55 @@ import (
 var storagePoolVolumesCmd = APIEndpoint{
        Path: "storage-pools/{name}/volumes",
 
-       Get:  APIEndpointAction{Handler: storagePoolVolumesGet, AccessHandler: 
AllowAuthenticated},
-       Post: APIEndpointAction{Handler: storagePoolVolumesPost},
+       Get:  APIEndpointAction{Handler: storagePoolVolumesGet, AccessHandler: 
AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+       Post: APIEndpointAction{Handler: storagePoolVolumesPost, AccessHandler: 
AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
 }
 
 var storagePoolVolumesTypeCmd = APIEndpoint{
        Path: "storage-pools/{name}/volumes/{type}",
 
-       Get:  APIEndpointAction{Handler: storagePoolVolumesTypeGet, 
AccessHandler: AllowAuthenticated},
-       Post: APIEndpointAction{Handler: storagePoolVolumesTypePost},
+       Get:  APIEndpointAction{Handler: storagePoolVolumesTypeGet, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Post: APIEndpointAction{Handler: storagePoolVolumesTypePost, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
 }
 
 var storagePoolVolumeTypeContainerCmd = APIEndpoint{
        Path: "storage-pools/{pool}/volumes/container/{name:.*}",
 
-       Delete: APIEndpointAction{Handler: 
storagePoolVolumeTypeContainerDelete},
-       Get:    APIEndpointAction{Handler: storagePoolVolumeTypeContainerGet, 
AccessHandler: AllowAuthenticated},
-       Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeContainerPatch},
-       Post:   APIEndpointAction{Handler: storagePoolVolumeTypeContainerPost},
-       Put:    APIEndpointAction{Handler: storagePoolVolumeTypeContainerPut},
+       Delete: APIEndpointAction{Handler: 
storagePoolVolumeTypeContainerDelete, AccessHandler: 
AllowProjectPermission("storage-volumes", "manage-storage-volumes")},
+       Get:    APIEndpointAction{Handler: storagePoolVolumeTypeContainerGet, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeContainerPatch, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Post:   APIEndpointAction{Handler: storagePoolVolumeTypeContainerPost, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Put:    APIEndpointAction{Handler: storagePoolVolumeTypeContainerPut, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
 }
 
 var storagePoolVolumeTypeVMCmd = APIEndpoint{
        Path: "storage-pools/{pool}/volumes/virtual-machine/{name:.*}",
 
-       Delete: APIEndpointAction{Handler: storagePoolVolumeTypeVMDelete},
-       Get:    APIEndpointAction{Handler: storagePoolVolumeTypeVMGet, 
AccessHandler: AllowAuthenticated},
-       Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeVMPatch},
-       Post:   APIEndpointAction{Handler: storagePoolVolumeTypeVMPost},
-       Put:    APIEndpointAction{Handler: storagePoolVolumeTypeVMPut},
+       Delete: APIEndpointAction{Handler: storagePoolVolumeTypeVMDelete, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Get:    APIEndpointAction{Handler: storagePoolVolumeTypeVMGet, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeVMPatch, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Post:   APIEndpointAction{Handler: storagePoolVolumeTypeVMPost, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Put:    APIEndpointAction{Handler: storagePoolVolumeTypeVMPut, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
 }
 
 var storagePoolVolumeTypeCustomCmd = APIEndpoint{
        Path: "storage-pools/{pool}/volumes/custom/{name}",
 
-       Delete: APIEndpointAction{Handler: storagePoolVolumeTypeCustomDelete},
-       Get:    APIEndpointAction{Handler: storagePoolVolumeTypeCustomGet, 
AccessHandler: AllowAuthenticated},
-       Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeCustomPatch},
-       Post:   APIEndpointAction{Handler: storagePoolVolumeTypeCustomPost},
-       Put:    APIEndpointAction{Handler: storagePoolVolumeTypeCustomPut},
+       Delete: APIEndpointAction{Handler: storagePoolVolumeTypeCustomDelete, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Get:    APIEndpointAction{Handler: storagePoolVolumeTypeCustomGet, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeCustomPatch, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Post:   APIEndpointAction{Handler: storagePoolVolumeTypeCustomPost, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Put:    APIEndpointAction{Handler: storagePoolVolumeTypeCustomPut, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
 }
 
 var storagePoolVolumeTypeImageCmd = APIEndpoint{
        Path: "storage-pools/{pool}/volumes/image/{name}",
 
-       Delete: APIEndpointAction{Handler: storagePoolVolumeTypeImageDelete},
-       Get:    APIEndpointAction{Handler: storagePoolVolumeTypeImageGet, 
AccessHandler: AllowAuthenticated},
-       Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeImagePatch},
-       Post:   APIEndpointAction{Handler: storagePoolVolumeTypeImagePost},
-       Put:    APIEndpointAction{Handler: storagePoolVolumeTypeImagePut},
+       Delete: APIEndpointAction{Handler: storagePoolVolumeTypeImageDelete, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Get:    APIEndpointAction{Handler: storagePoolVolumeTypeImageGet, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Patch:  APIEndpointAction{Handler: storagePoolVolumeTypeImagePatch, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Post:   APIEndpointAction{Handler: storagePoolVolumeTypeImagePost, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Put:    APIEndpointAction{Handler: storagePoolVolumeTypeImagePut, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
 }
 
 // /1.0/storage-pools/{name}/volumes
diff --git a/lxd/storage_volumes_snapshot.go b/lxd/storage_volumes_snapshot.go
index dca4382915..54c4a4c413 100644
--- a/lxd/storage_volumes_snapshot.go
+++ b/lxd/storage_volumes_snapshot.go
@@ -21,17 +21,17 @@ import (
 var storagePoolVolumeSnapshotsTypeCmd = APIEndpoint{
        Path: "storage-pools/{pool}/volumes/{type}/{name}/snapshots",
 
-       Get:  APIEndpointAction{Handler: storagePoolVolumeSnapshotsTypeGet, 
AccessHandler: AllowAuthenticated},
-       Post: APIEndpointAction{Handler: storagePoolVolumeSnapshotsTypePost},
+       Get:  APIEndpointAction{Handler: storagePoolVolumeSnapshotsTypeGet, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Post: APIEndpointAction{Handler: storagePoolVolumeSnapshotsTypePost, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
 }
 
 var storagePoolVolumeSnapshotTypeCmd = APIEndpoint{
        Path: 
"storage-pools/{pool}/volumes/{type}/{name}/snapshots/{snapshotName}",
 
-       Delete: APIEndpointAction{Handler: storagePoolVolumeSnapshotTypeDelete},
-       Get:    APIEndpointAction{Handler: storagePoolVolumeSnapshotTypeGet, 
AccessHandler: AllowAuthenticated},
-       Post:   APIEndpointAction{Handler: storagePoolVolumeSnapshotTypePost},
-       Put:    APIEndpointAction{Handler: storagePoolVolumeSnapshotTypePut},
+       Delete: APIEndpointAction{Handler: storagePoolVolumeSnapshotTypeDelete, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Get:    APIEndpointAction{Handler: storagePoolVolumeSnapshotTypeGet, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Post:   APIEndpointAction{Handler: storagePoolVolumeSnapshotTypePost, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
+       Put:    APIEndpointAction{Handler: storagePoolVolumeSnapshotTypePut, 
AccessHandler: AllowProjectPermission("storage-volumes", 
"manage-storage-volumes")},
 }
 
 func storagePoolVolumeSnapshotsTypePost(d *Daemon, r *http.Request) 
response.Response {

From 4d7376d770d5daabd4a70604824aa4833e2f4b0d Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parr...@canonical.com>
Date: Thu, 5 Mar 2020 16:06:15 +0000
Subject: [PATCH 2/2] lxd/daemon: Adds comment to AllowAuthenticated

To explain the apparent briefness of this function.

Signed-off-by: Thomas Parrott <thomas.parr...@canonical.com>
---
 lxd/daemon.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lxd/daemon.go b/lxd/daemon.go
index 68931fe677..571e0ead5b 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -201,7 +201,10 @@ type APIEndpointAction struct {
        AllowUntrusted bool
 }
 
-// AllowAuthenticated is a AccessHandler which allows all requests
+// AllowAuthenticated is a AccessHandler which allows all requests.
+// This function doesn't do anything itself, except return the 
EmptySyncResponse that allows the request to
+// proceed. However in order to access any API route you must be 
authenticated, unless the handler's AllowUntrusted
+// property is set to true or you are an admin.
 func AllowAuthenticated(d *Daemon, r *http.Request) response.Response {
        return response.EmptySyncResponse
 }

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxd/master] API: Storage volumes permission check

Reply via email to