Skip to content

Commit

Permalink
VBV-2275 Creating a PKS cluster with DevOps/Developer role fails with…
Browse files Browse the repository at this point in the history 
… "forbidden"

Change-Id: If0efe9476c6d15996ce4647895efc756d53e287d
Reviewed-on: https://bellevue-ci.eng.vmware.com:8080/46811
Closures-Verified: jenkins <[email protected]>
Upgrade-Verified: jenkins <[email protected]>
PG-Verified: jenkins <[email protected]>
Bellevue-Verified: jenkins <[email protected]>
CS-Verified: jenkins <[email protected]>
Reviewed-by: Lazarin Lazarov <[email protected]>
  • Loading branch information
@mshipkovenski
mshipkovenski committed Oct 18, 2018
1 parent ffd2345 commit 8282ef2
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 0 deletions.
27 changes: 27 additions & 0 deletions auth/src/main/java/com/vmware/admiral/auth/util/AuthUtil.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,10 @@
import com.vmware.admiral.common.util.PropertyUtils;
import com.vmware.admiral.common.util.QueryUtil;
import com.vmware.admiral.compute.ElasticPlacementZoneConfigurationService;
import com.vmware.admiral.compute.ElasticPlacementZoneService;
import com.vmware.admiral.compute.RegistryConfigCertificateDistributionService;
import com.vmware.admiral.compute.RegistryHostConfigService;
import com.vmware.admiral.compute.cluster.ClusterService;
import com.vmware.admiral.compute.container.CompositeDescriptionCloneService;
import com.vmware.admiral.compute.container.ContainerHostDataCollectionService;
import com.vmware.admiral.compute.container.ContainerLogService;
Expand Down Expand Up @@ -64,6 +66,7 @@
import com.vmware.admiral.service.common.UniquePropertiesService;
import com.vmware.admiral.service.common.harbor.HarborApiProxyService;
import com.vmware.photon.controller.model.resources.ComputeDescriptionService;
import com.vmware.photon.controller.model.resources.ResourcePoolService;
import com.vmware.photon.controller.model.resources.ResourceState;
import com.vmware.xenon.common.Claims;
import com.vmware.xenon.common.Operation;
Expand Down Expand Up @@ -536,6 +539,26 @@ public static List<Query> fullAccessResourcesForAdminsAndMembers(String projectS
buildUriWithWildcard(UniquePropertiesService.FACTORY_LINK),
MatchType.WILDCARD, Occurance.SHOULD_OCCUR)

.addFieldClause(ServiceDocument.FIELD_NAME_SELF_LINK,
buildUriWithWildcard(ClusterService.SELF_LINK),
MatchType.WILDCARD, Occurance.SHOULD_OCCUR)

.addFieldClause(ServiceDocument.FIELD_NAME_SELF_LINK,
buildUriWithWildcard(GroupResourcePlacementService.FACTORY_LINK),
MatchType.WILDCARD, Occurance.SHOULD_OCCUR)

.addFieldClause(ServiceDocument.FIELD_NAME_SELF_LINK,
buildUriWithWildcard(ElasticPlacementZoneConfigurationService.SELF_LINK),
MatchType.WILDCARD, Occurance.SHOULD_OCCUR)

.addFieldClause(ServiceDocument.FIELD_NAME_SELF_LINK,
buildUriWithWildcard(ElasticPlacementZoneService.FACTORY_LINK),
MatchType.WILDCARD, Occurance.SHOULD_OCCUR)

.addFieldClause(ServiceDocument.FIELD_NAME_SELF_LINK,
buildUriWithWildcard(ResourcePoolService.FACTORY_LINK),
MatchType.WILDCARD, Occurance.SHOULD_OCCUR)

.build();

List<Query> clauses = new ArrayList<>();
Expand Down Expand Up @@ -600,6 +623,10 @@ public static ResourceGroupState buildCommonProjectResourceGroup(String projectI

.addFieldClause(ServiceDocument.FIELD_NAME_SELF_LINK,
ContainerStatsService.STATS_PERMISSION_URI,
MatchType.TERM, Occurance.SHOULD_OCCUR)

.addFieldClause(ServiceDocument.FIELD_NAME_SELF_LINK,
ManagementUriParts.PKS_PLANS,
MatchType.TERM, Occurance.SHOULD_OCCUR);

for (Query query : fullAccessResourcesForAdminsAndMembers(projectSelfLink)) {
Expand Down
35 changes: 35 additions & 0 deletions host/src/main/java/com/vmware/admiral/host/interceptor/ProjectInterceptor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,12 @@

package com.vmware.admiral.host.interceptor;

import static com.vmware.admiral.common.util.TenantLinksUtil.isProjectLink;

import java.util.ArrayList;

import com.vmware.admiral.adapter.pks.PKSConstants;
import com.vmware.admiral.auth.idm.SecurityContext;
import com.vmware.admiral.auth.util.SecurityContextUtil;
import com.vmware.admiral.closures.services.closure.ClosureService;
import com.vmware.admiral.closures.services.closuredescription.ClosureDescriptionService;
Expand Down Expand Up @@ -252,10 +256,41 @@ private static DeferredResult<Void> handleClusterServiceOp(Service service, Oper
if (op.getAction() == Action.GET && sc.isProjectAdmin(projectLink)) {
return DeferredResult.completed(null);
}

if (isCreatePKSClusterRequest(op, sc, projectLink)) {
return DeferredResult.completed(null);
}
}
return DeferredResult.failed(new IllegalAccessError("forbidden"));
})
.thenAccept(ignore -> {
});
}

private static boolean isCreatePKSClusterRequest(Operation op, SecurityContext sc, String projectLink) {
ContainerHostSpec hostSpec = extractContainerHostSpec(op);
boolean isCreatePKSClusterRequest = hostSpec != null
&& hostSpec.hostState != null
&& hostSpec.hostState.customProperties != null
&& hostSpec.hostState.customProperties
.get(PKSConstants.PKS_ENDPOINT_PROP_NAME) != null;

if (isCreatePKSClusterRequest) {
if (projectLink == null && hostSpec.hostState.tenantLinks != null) {
projectLink = hostSpec.hostState.tenantLinks.stream()
.filter(tenantLink -> isProjectLink(tenantLink))
.findFirst().orElse(null);
}

return op.getAction() == Action.POST
&& isCreatePKSClusterRequest
&& isProjectAdminOrProjectMember(projectLink, sc);
}

return false;
}

private static boolean isProjectAdminOrProjectMember(String projectLink, SecurityContext sc) {
return sc.isProjectAdmin(projectLink) || sc.isProjectMember(projectLink);
}
}

0 comments on commit 8282ef2

Please sign in to comment.