feat(ACI): EE-261 Add RBAC to ACI (#226)

Co-authored-by: Simon Meng <simon.meng@portainer.io>
This commit is contained in:
cong meng
2021-04-09 12:20:33 +12:00
committed by GitHub
parent 4682056058
commit 6eb3dfd3c2
11 changed files with 270 additions and 23 deletions
+13 -5
View File
@@ -22,14 +22,22 @@ func (transport *Transport) createAzureRequestContext(request *http.Request) (*a
}
context := &azureRequestContext{
isAdmin: true,
userID: tokenData.ID,
resourceControls: resourceControls,
isAdmin: true,
userID: tokenData.ID,
resourceControls: resourceControls,
endpointResourceAccess: false,
}
if tokenData.Role != portainer.AdministratorRole {
context.isAdmin = false
user, err := transport.dataStore.User().User(context.userID)
if err != nil {
return nil, err
}
_, context.endpointResourceAccess = user.EndpointAuthorizations[transport.endpoint.ID][portainer.EndpointResourcesAccess]
teamMemberships, err := transport.dataStore.TeamMembership().TeamMembershipsByUserID(tokenData.ID)
if err != nil {
return nil, err
@@ -72,7 +80,7 @@ func (transport *Transport) createPrivateResourceControl(
}
func (transport *Transport) userCanDeleteContainerGroup(request *http.Request, context *azureRequestContext) bool {
if context.isAdmin {
if context.isAdmin || context.endpointResourceAccess {
return true
}
resourceIdentifier := request.URL.Path
@@ -119,7 +127,7 @@ func (transport *Transport) filterContainerGroups(containerGroups []interface{},
}
}
if context.isAdmin || userCanAccessResource {
if context.isAdmin || context.endpointResourceAccess || userCanAccessResource {
filteredContainerGroups = append(filteredContainerGroups, containerGroup)
}
}
+5 -4
View File
@@ -27,10 +27,11 @@ type (
}
azureRequestContext struct {
isAdmin bool
userID portainer.UserID
userTeamIDs []portainer.TeamID
resourceControls []portainer.ResourceControl
isAdmin bool
endpointResourceAccess bool
userID portainer.UserID
userTeamIDs []portainer.TeamID
resourceControls []portainer.ResourceControl
}
)