New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow non admin users to manage BSL #6589
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||
---|---|---|---|---|
|
@@ -96,11 +96,18 @@ const ( | |||
displayNameLabelKey = "csbl-display-name" | ||||
) | ||||
|
||||
func ListCBSL(ctx context.Context, request interface{}, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) ([]*apiv2.ClusterBackupStorageLocation, error) { | ||||
func ListCBSL(ctx context.Context, request interface{}, userInfoGetter provider.UserInfoGetter, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) ([]*apiv2.ClusterBackupStorageLocation, error) { | ||||
req, ok := request.(listCbslReq) | ||||
if !ok { | ||||
return nil, utilerrors.NewBadRequest("invalid request") | ||||
} | ||||
|
||||
_, err := userInfoGetter(ctx, req.ProjectID) | ||||
|
||||
if err != nil { | ||||
return nil, err | ||||
} | ||||
|
||||
labelSet := map[string]string{ | ||||
kubermaticv1.ProjectIDLabelKey: req.ProjectID, | ||||
} | ||||
|
@@ -122,11 +129,18 @@ func ListCBSL(ctx context.Context, request interface{}, provider provider.Backup | |||
return resp, nil | ||||
} | ||||
|
||||
func GetCSBL(ctx context.Context, request interface{}, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) (*apiv2.ClusterBackupStorageLocation, error) { | ||||
func GetCSBL(ctx context.Context, request interface{}, userInfoGetter provider.UserInfoGetter, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) (*apiv2.ClusterBackupStorageLocation, error) { | ||||
req, ok := request.(getCbslReq) | ||||
if !ok { | ||||
return nil, utilerrors.NewBadRequest("invalid request") | ||||
} | ||||
|
||||
_, err := userInfoGetter(ctx, req.ProjectID) | ||||
|
||||
if err != nil { | ||||
return nil, err | ||||
} | ||||
|
||||
labelSet := map[string]string{ | ||||
kubermaticv1.ProjectIDLabelKey: req.ProjectID, | ||||
} | ||||
|
@@ -144,11 +158,22 @@ func GetCSBL(ctx context.Context, request interface{}, provider provider.BackupS | |||
}, nil | ||||
} | ||||
|
||||
func CreateCBSL(ctx context.Context, request interface{}, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) (*apiv2.ClusterBackupStorageLocation, error) { | ||||
func CreateCBSL(ctx context.Context, request interface{}, userInfoGetter provider.UserInfoGetter, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) (*apiv2.ClusterBackupStorageLocation, error) { | ||||
req, ok := request.(createCbslReq) | ||||
if !ok { | ||||
return nil, utilerrors.NewBadRequest("invalid request") | ||||
} | ||||
|
||||
user, err := userInfoGetter(ctx, req.ProjectID) | ||||
|
||||
if err != nil { | ||||
return nil, err | ||||
} | ||||
|
||||
if user.Roles.Has("viewers") { | ||||
return nil, fmt.Errorf("user with a viewer role is not permitted to create storage locations.") | ||||
} | ||||
|
||||
cbslName := req.Body.Name | ||||
cbslSpec := req.Body.CBSLSpec.DeepCopy() | ||||
creds := req.Body.Credentials | ||||
|
@@ -168,21 +193,31 @@ func CreateCBSL(ctx context.Context, request interface{}, provider provider.Back | |||
}, nil | ||||
} | ||||
|
||||
func DeleteCBSL(ctx context.Context, request interface{}, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) error { | ||||
func DeleteCBSL(ctx context.Context, request interface{}, userInfoGetter provider.UserInfoGetter, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) error { | ||||
req, ok := request.(deleteCbslReq) | ||||
if !ok { | ||||
return utilerrors.NewBadRequest("invalid request") | ||||
} | ||||
|
||||
err := provider.DeleteUnsecured(ctx, req.ClusterBackupStorageLocationName) | ||||
user, err := userInfoGetter(ctx, req.ProjectID) | ||||
|
||||
if err != nil { | ||||
return err | ||||
} | ||||
|
||||
if user.Roles.Has("viewers") { | ||||
return fmt.Errorf("user with a viewer role is not permitted to delete storage locations.") | ||||
} | ||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. my understanding from other code is that it is possible for a user to have both "viewer" as well as another role. As a result we also need to check if viewers is the only role the user has. For example like this is done here
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same for Create and Patch as well |
||||
|
||||
err = provider.DeleteUnsecured(ctx, req.ClusterBackupStorageLocationName) | ||||
if err != nil { | ||||
return err | ||||
} | ||||
|
||||
return nil | ||||
} | ||||
|
||||
func PatchCBSL(ctx context.Context, request interface{}, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) (*apiv2.ClusterBackupStorageLocation, error) { | ||||
func PatchCBSL(ctx context.Context, request interface{}, userInfoGetter provider.UserInfoGetter, provider provider.BackupStorageProvider, projectProvider provider.ProjectProvider) (*apiv2.ClusterBackupStorageLocation, error) { | ||||
req, ok := request.(patchCbslReq) | ||||
if !ok { | ||||
return nil, utilerrors.NewBadRequest("invalid request") | ||||
|
@@ -197,6 +232,16 @@ func PatchCBSL(ctx context.Context, request interface{}, provider provider.Backu | |||
return nil, err | ||||
} | ||||
|
||||
user, err := userInfoGetter(ctx, req.ProjectID) | ||||
|
||||
if err != nil { | ||||
return nil, err | ||||
} | ||||
|
||||
if user.Roles.Has("viewers") { | ||||
return nil, fmt.Errorf("user with a viewer role is not permitted to edit storage locations.") | ||||
} | ||||
|
||||
return &apiv2.ClusterBackupStorageLocation{ | ||||
Name: patched.Name, | ||||
DisplayName: patched.Labels[displayNameLabelKey], | ||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this essentially only queries the user roles and so on, but since you are not using them to check for anything (like in CreateCSBL), I believe it can be removed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same for the
GetCSBL
func