From: Nizamudeen A <nia@redhat.com>
Date: Tue, 6 Apr 2021 15:54:51 +0000 (+0530)
Subject: mgr/dashboard: Revoke read-only user's access to Manager modules
X-Git-Tag: v14.2.22~25^2~12^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F40650%2Fhead;p=ceph.git

mgr/dashboard: Revoke read-only user's access to Manager modules

This will disable read only user to read/open Manager Modules page in
Ceph Dashboard where some of the security related informations are
shown.

Fixes: https://tracker.ceph.com/issues/50174
Signed-off-by: Nizamudeen A <nia@redhat.com>
(cherry picked from commit fb607f1561371340d2c9d4e16c4eaceb365fd926)

Conflicts:
	src/pybind/mgr/dashboard/services/access_control.py
   - Some of the changes are not backported because those features are
     not implemented on nautilus. So I left them as it is
---

diff --git a/src/pybind/mgr/dashboard/services/access_control.py b/src/pybind/mgr/dashboard/services/access_control.py
index 4a09991a9e6..64d1e7967c5 100644
--- a/src/pybind/mgr/dashboard/services/access_control.py
+++ b/src/pybind/mgr/dashboard/services/access_control.py
@@ -114,7 +114,7 @@ ADMIN_ROLE = Role('administrator', 'Administrator', {
 # read-only role provides read-only permission for all scopes
 READ_ONLY_ROLE = Role('read-only', 'Read-Only', {
     scope_name: [_P.READ] for scope_name in Scope.all_scopes()
-    if scope_name != Scope.DASHBOARD_SETTINGS
+    if scope_name not in (Scope.DASHBOARD_SETTINGS, Scope.CONFIG_OPT)
 })