From: Kiefer Chang <kiefer.chang@suse.com>
Date: Tue, 8 Sep 2020 07:41:02 +0000 (+0800)
Subject: mgr/dashboard: fix security scopes of some NFS-Ganesha endpoints
X-Git-Tag: v14.2.17~28^2~31^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=92f69285b41e2be642029b6c2e978f1f8b4da550;p=ceph.git

mgr/dashboard: fix security scopes of some NFS-Ganesha endpoints

Apply NFS_GANESHA scope to these endpoints:
- `/api/nfs-ganesha/daemon`.
- `/ui-api/nfs-ganesha/*`.

Otherwise, any valid users can access them.

Fixes: https://tracker.ceph.com/issues/47356
Signed-off-by: Kiefer Chang <kiefer.chang@suse.com>
(cherry picked from commit ed123e493cf43e71cb608a31ac8f2a9136f6febf)

 Conflicts:
	src/pybind/mgr/dashboard/controllers/nfsganesha.py
 - ReadPermissions between Endpoint and def lsdir;
   def lsdir pylint addition
---

diff --git a/src/pybind/mgr/dashboard/controllers/nfsganesha.py b/src/pybind/mgr/dashboard/controllers/nfsganesha.py
index 259910550faa..b9599d72b482 100644
--- a/src/pybind/mgr/dashboard/controllers/nfsganesha.py
+++ b/src/pybind/mgr/dashboard/controllers/nfsganesha.py
@@ -231,7 +231,7 @@ class NFSGaneshaExports(RESTController):
             ganesha_conf.reload_daemons(export.daemons)
 
 
-@ApiController('/nfs-ganesha/daemon')
+@ApiController('/nfs-ganesha/daemon', Scope.NFS_GANESHA)
 @ControllerDoc(group="NFS-Ganesha")
 class NFSGaneshaService(RESTController):
 
@@ -266,18 +266,21 @@ class NFSGaneshaService(RESTController):
         return result
 
 
-@UiApiController('/nfs-ganesha')
+@UiApiController('/nfs-ganesha', Scope.NFS_GANESHA)
 class NFSGaneshaUi(BaseController):
     @Endpoint('GET', '/cephx/clients')
+    @ReadPermission
     def cephx_clients(self):
         return [client for client in CephX.list_clients()]
 
     @Endpoint('GET', '/fsals')
+    @ReadPermission
     def fsals(self):
         return Ganesha.fsals_available()
 
     @Endpoint('GET', '/lsdir')
-    def lsdir(self, root_dir=None, depth=1):
+    @ReadPermission
+    def lsdir(self, root_dir=None, depth=1):  # pragma: no cover
         if root_dir is None:
             root_dir = "/"
         depth = int(depth)
@@ -297,13 +300,16 @@ class NFSGaneshaUi(BaseController):
             return {'paths': []}
 
     @Endpoint('GET', '/cephfs/filesystems')
+    @ReadPermission
     def filesystems(self):
         return CephFS.list_filesystems()
 
     @Endpoint('GET', '/rgw/buckets')
+    @ReadPermission
     def buckets(self, user_id=None):
         return RgwClient.instance(user_id).get_buckets()
 
     @Endpoint('GET', '/clusters')
+    @ReadPermission
     def clusters(self):
         return Ganesha.get_ganesha_clusters()