From fb607f1561371340d2c9d4e16c4eaceb365fd926 Mon Sep 17 00:00:00 2001
From: Nizamudeen A <nia@redhat.com>
Date: Tue, 6 Apr 2021 21:24:51 +0530
Subject: [PATCH] mgr/dashboard: Revoke read-only user's access to Manager
 modules

This will disable read only user to read/open Manager Modules page in
Ceph Dashboard where some of the security related informations are
shown.

Fixes: https://tracker.ceph.com/issues/50174
Signed-off-by: Nizamudeen A <nia@redhat.com>
---
 src/pybind/mgr/dashboard/services/access_control.py   | 7 ++++---
 src/pybind/mgr/dashboard/tests/test_access_control.py | 6 ++++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/pybind/mgr/dashboard/services/access_control.py b/src/pybind/mgr/dashboard/services/access_control.py
index 644d10ef37ff..dd32712494fc 100644
--- a/src/pybind/mgr/dashboard/services/access_control.py
+++ b/src/pybind/mgr/dashboard/services/access_control.py
@@ -217,9 +217,10 @@ ADMIN_ROLE = Role(
 
 # read-only role provides read-only permission for all scopes
 READ_ONLY_ROLE = Role(
-    'read-only', 'allows read permission for all security scopes except dashboard settings', {
+    'read-only',
+    'allows read permission for all security scope except dashboard settings and config-opt', {
         scope_name: [_P.READ] for scope_name in Scope.all_scopes()
-        if scope_name != Scope.DASHBOARD_SETTINGS
+        if scope_name not in (Scope.DASHBOARD_SETTINGS, Scope.CONFIG_OPT)
     })
 
 
@@ -246,7 +247,7 @@ RGW_MGR_ROLE = Role(
 # Config options
 CLUSTER_MGR_ROLE = Role(
     'cluster-manager', """allows full permissions for the hosts, osd, mon, mgr,
-    and config-opt scopes.""", {
+    and config-opt scopes""", {
         Scope.HOSTS: [_P.READ, _P.CREATE, _P.UPDATE, _P.DELETE],
         Scope.OSD: [_P.READ, _P.CREATE, _P.UPDATE, _P.DELETE],
         Scope.MONITOR: [_P.READ, _P.CREATE, _P.UPDATE, _P.DELETE],
diff --git a/src/pybind/mgr/dashboard/tests/test_access_control.py b/src/pybind/mgr/dashboard/tests/test_access_control.py
index 44f759edfb64..9415d7e57064 100644
--- a/src/pybind/mgr/dashboard/tests/test_access_control.py
+++ b/src/pybind/mgr/dashboard/tests/test_access_control.py
@@ -154,8 +154,10 @@ class AccessControlTest(unittest.TestCase, CLICommandTestMixin):
     def test_show_system_role(self):
         role = self.exec_cmd('ac-role-show', rolename="read-only")
         self.assertEqual(role['name'], 'read-only')
-        self.assertEqual(role['description'],
-                         'allows read permission for all security scopes except dashboard settings')
+        self.assertEqual(
+            role['description'],
+            'allows read permission for all security scope except dashboard settings and config-opt'
+        )
 
     def test_delete_system_role(self):
         with self.assertRaises(CmdException) as ctx:
-- 
2.47.3