mgr/dashboard: Revoke read-only user's access to Manager modules

This will disable read only user to read/open Manager Modules page in
Ceph Dashboard where some of the security related informations are
shown.

Fixes: https://tracker.ceph.com/issues/50174
Signed-off-by: Nizamudeen A <nia@redhat.com>
(cherry picked from commit fb607f1561371340d2c9d4e16c4eaceb365fd926)

diff --git a/src/pybind/mgr/dashboard/services/access_control.py b/src/pybind/mgr/dashboard/services/access_control.py
index 644d10ef37ff45fbdb1a1f7581d7a99d9b8def8c..dd32712494fc527664cdb58b3eb4446bc741e2c2 100644 (file)
--- a/src/pybind/mgr/dashboard/services/access_control.py
+++ b/src/pybind/mgr/dashboard/services/access_control.py
@@ -217,9 +217,10 @@ ADMIN_ROLE = Role(
 
 # read-only role provides read-only permission for all scopes
 READ_ONLY_ROLE = Role(
-    'read-only', 'allows read permission for all security scopes except dashboard settings', {
+    'read-only',
+    'allows read permission for all security scope except dashboard settings and config-opt', {
         scope_name: [_P.READ] for scope_name in Scope.all_scopes()
-        if scope_name != Scope.DASHBOARD_SETTINGS
+        if scope_name not in (Scope.DASHBOARD_SETTINGS, Scope.CONFIG_OPT)
     })
 
 
@@ -246,7 +247,7 @@ RGW_MGR_ROLE = Role(
 # Config options
 CLUSTER_MGR_ROLE = Role(
     'cluster-manager', """allows full permissions for the hosts, osd, mon, mgr,
-    and config-opt scopes.""", {
+    and config-opt scopes""", {
         Scope.HOSTS: [_P.READ, _P.CREATE, _P.UPDATE, _P.DELETE],
         Scope.OSD: [_P.READ, _P.CREATE, _P.UPDATE, _P.DELETE],
         Scope.MONITOR: [_P.READ, _P.CREATE, _P.UPDATE, _P.DELETE],

diff --git a/src/pybind/mgr/dashboard/tests/test_access_control.py b/src/pybind/mgr/dashboard/tests/test_access_control.py
index 44f759edfb64fcfb6dd6031498008114b7956f0f..9415d7e57064f7a738ec15d7069b689dd9dd5b16 100644 (file)
--- a/src/pybind/mgr/dashboard/tests/test_access_control.py
+++ b/src/pybind/mgr/dashboard/tests/test_access_control.py
@@ -154,8 +154,10 @@ class AccessControlTest(unittest.TestCase, CLICommandTestMixin):
     def test_show_system_role(self):
         role = self.exec_cmd('ac-role-show', rolename="read-only")
         self.assertEqual(role['name'], 'read-only')
-        self.assertEqual(role['description'],
-                         'allows read permission for all security scopes except dashboard settings')
+        self.assertEqual(
+            role['description'],
+            'allows read permission for all security scope except dashboard settings and config-opt'
+        )
 
     def test_delete_system_role(self):
         with self.assertRaises(CmdException) as ctx: