]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph.git/commitdiff
projects / ceph.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0763d1e)
mgr/dashboard: fix security scopes of some NFS-Ganesha endpoints 37961/head
authorKiefer Chang <kiefer.chang@suse.com>
Tue, 8 Sep 2020 07:41:02 +0000 (15:41 +0800)
committerLaura Paduano <lpaduano@suse.com>
Thu, 5 Nov 2020 09:51:25 +0000 (10:51 +0100)
Apply NFS_GANESHA scope to these endpoints:
- `/api/nfs-ganesha/daemon`.
- `/ui-api/nfs-ganesha/*`.

Otherwise, any valid users can access them.

Fixes: https://tracker.ceph.com/issues/47356
Signed-off-by: Kiefer Chang <kiefer.chang@suse.com>
(cherry picked from commit ed123e493cf43e71cb608a31ac8f2a9136f6febf)

 Conflicts:
src/pybind/mgr/dashboard/controllers/nfsganesha.py
 - ReadPermissions between Endpoint and def lsdir;
   def lsdir pylint addition

src/pybind/mgr/dashboard/controllers/nfsganesha.py patch | blob | history

diff --git a/src/pybind/mgr/dashboard/controllers/nfsganesha.py b/src/pybind/mgr/dashboard/controllers/nfsganesha.py
index 259910550faa84e0b5c42466e14cc88ce0e26873..b9599d72b482a527bc80071779deb79595b560ab 100644 (file)
--- a/src/pybind/mgr/dashboard/controllers/nfsganesha.py
+++ b/src/pybind/mgr/dashboard/controllers/nfsganesha.py
@@ -231,7 +231,7 @@ class NFSGaneshaExports(RESTController):
             ganesha_conf.reload_daemons(export.daemons)
 
 
-@ApiController('/nfs-ganesha/daemon')
+@ApiController('/nfs-ganesha/daemon', Scope.NFS_GANESHA)
 @ControllerDoc(group="NFS-Ganesha")
 class NFSGaneshaService(RESTController):
 
@@ -266,18 +266,21 @@ class NFSGaneshaService(RESTController):
         return result
 
 
-@UiApiController('/nfs-ganesha')
+@UiApiController('/nfs-ganesha', Scope.NFS_GANESHA)
 class NFSGaneshaUi(BaseController):
     @Endpoint('GET', '/cephx/clients')
+    @ReadPermission
     def cephx_clients(self):
         return [client for client in CephX.list_clients()]
 
     @Endpoint('GET', '/fsals')
+    @ReadPermission
     def fsals(self):
         return Ganesha.fsals_available()
 
     @Endpoint('GET', '/lsdir')
-    def lsdir(self, root_dir=None, depth=1):
+    @ReadPermission
+    def lsdir(self, root_dir=None, depth=1):  # pragma: no cover
         if root_dir is None:
             root_dir = "/"
         depth = int(depth)
@@ -297,13 +300,16 @@ class NFSGaneshaUi(BaseController):
             return {'paths': []}
 
     @Endpoint('GET', '/cephfs/filesystems')
+    @ReadPermission
     def filesystems(self):
         return CephFS.list_filesystems()
 
     @Endpoint('GET', '/rgw/buckets')
+    @ReadPermission
     def buckets(self, user_id=None):
         return RgwClient.instance(user_id).get_buckets()
 
     @Endpoint('GET', '/clusters')
+    @ReadPermission
     def clusters(self):
         return Ganesha.get_ganesha_clusters()
Unnamed repository; edit this file 'description' to name the repository.