Commit Graph

573 Commits

Author SHA1 Message Date
cong meng
6eb3dfd3c2 feat(ACI): EE-261 Add RBAC to ACI (#226)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-04-09 02:20:33 +02:00
Chaim Lev-Ari
2fb60a29de style(proxy): fix function name (#243) 2021-04-09 09:02:32 +12:00
cong meng
edb05e6e00 feat(ACI): EE-273 add UAC to ACI (#222)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-04-08 10:46:04 +12:00
Chaim Lev-Ari
b8ecadb314 feat(useractivity): introduce auth logs (#203) 2021-04-07 16:54:07 +12:00
Dmitry Salakhov
e15b908983 Feat(backup): add the ability to backup and restore portainer from file [EE-279] (#204)
* EE-319: backup endpoint (#193)

* feat(backup):
* add an orbiter to block writes while backup
* add backup handler
* add an ability to tar.gz a dir
* add aes encryption support

* EE-320: restore endpoint (#196)

* feat(backup):
* add restore handler
* re-init system state after restore

* feat(backup): Update server to respect readonly lock (#199)

* feat(backup): EE-322 Add backup and restore screen (#198)

Co-authored-by: Simon Meng <simon.meng@portainer.io>

* name archive as portainer-backup_yyyy-mm-dd_hh-mm-ss

* backup custom templates and edge jobs

* restart http and proxy servers after restore to re-init internal state

* feat(backup): EE-322 hide password field if password protect toggle is off

* feat(backup): EE-322 add tooltip for password field of restore backup

* feat(backup): EE-322 wait for backend restart after restoring

* Shutdown background go-routines

* changed restore err message when cannot extract

* fix: symlinks are ignored from backups

* replace single admin check with a restartable monitor (#238)

* clean log

Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>
Co-authored-by: cong meng <mcpacino@gmail.com>
Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-04-06 15:41:41 +12:00
cong meng
f9cf76234f feat(rbac): EE-226 Add a new RBAC "Operator" Role (#191)
* feat(rbac): EE-226 Add a new RBAC "Operator" Role

* feat(rbac): EE-226 prioritize Operator after EndpointAdmin and before Helpdesk

* feat(rbac): EE-226 access viewer shows incorrect effective role after introduce of Operator

* feat(rbac): EE-226 show roles order by priority other than name

* feat(rbac): EE-226 remove OperationK8sVolumeDetailsW authorization from operator role

* feat(rbac): EE-226 always increase bucket next sequence when create a role

Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-04-06 11:34:54 +12:00
Chaim Lev-Ari
590755071f chore(deps): fix /x/sys version (#217)
closes [EE-429]
2021-04-05 23:14:11 +02:00
cong meng
0eec606ebe feat(authentication): EE-73 Rename all usernames to lowercase (#228)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-03-29 19:09:17 +02:00
cong meng
1c938516ee Feat(docker): relocate docker features security settings to be available per endpoint EE-131 (#209)
* feat(docker) EE-131 relocate the Docker features/security settings to be available per endpoint

* feat(docker) EE-131 allow endpoint admin role user to update endpoint settings

* feat(docker) EE-131 populate volume browsing authorizations to user endpoint authorizations when user toggle the setting of volume management for non-administrators

* feat(docker) EE-131 remove parameter volumeBrowsingAuthorizations from all DefaultEndpointAuthorizationsForxxx functions

* feat(docker) EE-131 fix a layout bug of the browse button

* feat(ACI): EE-273 move migrator of 27 into migrate_dbversion26.go

* feat(docker) EE-131 in container creation view, show the privileged mode toggle if cureent user is admin or endpoint admin

Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-03-24 23:10:10 +01:00
Chaim Lev-Ari
65028ed96f feat(stacks): scope stack names to endpoint (#4520) (#212)
* refactor(stack): create unique name function

* refactor(stack): change stack resource control id

* feat(stacks): validate stack unique name in endpoint

* feat(stacks): prevent name collision with external stacks

* refactor(stacks): move resource id util

* refactor(stacks): supply resource id util with name and endpoint

* fix(docker): calculate swarm resource id

* feat(stack): prevent migration if stack name already exist

* feat(authorization): use stackutils
2021-03-24 16:40:25 +13:00
Chaim Lev-Ari
78cf608990 feat(compose): add docker-compose wrapper (#161)
* feat(compose): add docker-compose wrapper (#4713)

* feat(compose): add docker-compose wrapper

ce-187

* fix(compose): pick compose implementation upon startup

* Add static compose build for linux

* Fix wget

* Fix platofrm specific docker-compose download

* Keep amd64 architecture as download parameter

* Add tmp folder for docker-compose

* fix: line endings

* add proxy server

* logs

* Proxy

* Add lite transport for compose

* Fix local deployment

* refactor: pass proxyManager by ref

* fix: string conversion

* refactor: compose wrapper remove unused code

* fix: tests

* Add edge

* Fix merge issue

* refactor: remove unused code

* Move server to proxy implementation

* Cleanup wrapper and manager

* feat: pass max supported compose syntax version with each endpoint

* fix: pick compose syntax version

* fix: store wrapper version in portainer

* Get and show composeSyntaxMaxVersion at stack creation screen

* Get and show composeSyntaxMaxVersion at stack editor screen

* refactor: proxy server

* Fix used tmp

* Bump docker-compose to 1.28.0

* remove message for docker compose limitation

* fix: markup typo

* Rollback docker compose to 1.27.4

* * attempt to fix the windows build issue

* * attempt to debug grunt issue

* * use console log in grunt file

* fix: try to fix windows build by removing indirect deps from go.mod

* Remove tmp folder

* Remove builder stage

* feat(build/windows): add git for Docker Compose

* feat(build/windows): add git for Docker Compose

* feat(build/windows): add git for Docker Compose

* feat(build/windows): add git for Docker Compose

* feat(build/windows): add git for Docker Compose

* feat(build/windows): add git for Docker Compose - fixed verbose output

* refactor: renames

* fix(stack): get endpoint by EndpointProvider

* fix(stack): use margin to add space between line instead of using br tag

Co-authored-by: Stéphane Busso <stephane.busso@gmail.com>
Co-authored-by: Simon Meng <simon.meng@portainer.io>
Co-authored-by: yi-portainer <yi.chen@portainer.io>
Co-authored-by: Steven Kang <skan070@gmail.com>

* refactor(stacks): use compose library

* refactor(stacks): remove utils

* chore(deps): pin docker-compose-wrapper

* chore(build): simplify docker-compose build

* chore(build): remove ps compose script

* chore(deps): update docker-compose-wrapper

* fix(compose): close proxy after command

Co-authored-by: Stéphane Busso <stephane.busso@gmail.com>
Co-authored-by: Simon Meng <simon.meng@portainer.io>
Co-authored-by: yi-portainer <yi.chen@portainer.io>
Co-authored-by: Steven Kang <skan070@gmail.com>
2021-03-21 22:38:45 +01:00
cong meng
b401ab5081 fix(registries): update password only when not empty (ee-138) (#175)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-03-12 22:27:41 +01:00
yi-portainer
0cf7e6f2eb * update version to 2.0.2 2021-03-12 10:48:50 +13:00
cong meng
d618d05ee1 fix(stack): stacks created via API are incorrectly marked as private with no owner (ee#74) (#156)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-02-26 01:16:18 +01:00
Chaim Lev-Ari
924bfdee2a feat(docker/stacks): introduce date info for stacks (#182)
* feat(docker/stacks): add creation and update dates

* feat(docker/stacks): put ownership column as the last column

* feat(docker/stacks): fix the no stacks message

* refactor(docker/stacks): make external stacks helpers more readable

* feat(docker/stacks): add updated and created by

* feat(docker/stacks): toggle updated column

* refactor(datatable): create column visibility component

Co-authored-by: alice groux <alice.grx@gmail.com>
2021-02-25 15:59:38 +01:00
yi-portainer
c3f82f51c9 * update version to 2.0.1
(cherry picked from commit 5a784906db76f01461430489bba19ede71aefb93)
2021-02-22 19:10:13 +13:00
Yi Chen
92d597608e fix(RBAC) adding/removing teams into namespace causing error (#129)
* * handle teams been added or removed in the resource pool
* do not delete role bindings but just remove the user subject

* * fix missing rolemap

* * revert the role bindings changes (not the cause of the issue)

* * fix token cache cleaning endpoint tokens
2020-12-02 20:38:09 +13:00
Stéphane Busso
5e8e6d2821 chore(license): Update liblicense (#130) 2020-12-02 14:43:31 +13:00
Stéphane Busso
d46844fa7c Override license server (#128) 2020-12-02 09:38:52 +13:00
Yi Chen
f6824ce11c - remove rbac debug statements (#126) 2020-12-01 22:37:13 +13:00
Stéphane Busso
5f9ece92ae fix(board): Set license validation every day fixes#117 (#47) 2020-12-01 22:36:35 +13:00
Stéphane Busso
e316a5ebe1 fix(license): Fix license expiration inconsistency with displayed date (#111)
* fix(license): Fix license expiration  inconsistency with displayed date

* Fix inconsistent expiration

* Use liblicense expiration compute

* wip

* Use db for expiresAt in license detailed view

* Fix date differences
2020-12-01 17:39:37 +13:00
Yi Chen
db9a1826e5 * fix nil user or team access in edge endpoint (#125) 2020-12-01 15:27:26 +13:00
Yi Chen
02b1ccd521 fix(RBAC) remove role/cluster role bindings when user is deleted (#120)
* * partially ignore errors during user deletion
* collect all errors during user deletion
* remove role/cluster role bindings when empty

* + update resource pool access endpoint
* remove bindings when user is removed from resource pool
* remove token cache when user is added to the resource pool

* - remove delete tokens endpoint
* use actual TriggerUserAuthUpdate

* * fix comments

* * improve error returns
2020-12-01 11:45:49 +13:00
Yi Chen
d4929f06f8 fix(RBAC) refresh user token when operating on endpoints, namespaces, users, teams and memberships (#117)
* * refresh user auth when operating endpoint, team, user and membership

* + adding delete token endpoint
* remove tokens when auth config map is changed

* feat(rbac): add warning messages in the UI

* feat(endpoint): update access warnings

* * fix delete tokens api url

Co-authored-by: Anthony Lapenna <lapenna.anthony@gmail.com>
2020-11-30 21:15:52 +13:00
Stéphane Busso
fc5b5368f1 fix(settings): Fix portainer fail to start when missing settings (#123) 2020-11-30 18:39:29 +13:00
Anthony Lapenna
e3b38d0b0a fix(docker/resourcecontrol): fix an issue with Docker resource deletion (#121) 2020-11-30 17:07:46 +13:00
Yi Chen
05cd7094a5 fix(RBAC): authorize advanced deployment (#116)
* * removed authorization in stack deployment, will let k8s handling it

* * removed unused import

* + OperationK8sApplicationsAdvancedDeploymentRW for user
* check namespace authorization in k8s stack deployment endpoint

* - remove OperationK8sApplicationsAdvancedDeploymentRW from user
2020-11-30 13:02:05 +13:00
Maxime Bajeux
7254703449 fix(rbac): Endpoint admin cannot access the cluster setup view (#112)
* fix(rbac): Endpoint admin cannot access the cluster setup view

* * allow endpoint admin to update k8s cluster setup in endpoint

* * make sure a user token is issued first

* fix(rbac): allow admin to update cluster setup

Co-authored-by: yi-portainer <yi.chen@portainer.io>
2020-11-27 14:12:46 +13:00
Maxime Bajeux
8fed4181ed fix(rbac): Error thrown in the node details view for the helpdesk user (#113) 2020-11-26 22:20:52 +13:00
Maxime Bajeux
414e62503b fix(rbac): forbidden view access (#101)
* fix(rbac): Not enforcing on backend for resource creation, application edit and console log operations of users that this should be prevented for

* + k8s access user namespaces policy
+ debug logs
* fix multiple authorization calculation issues

* * use endpoint role rather than user role for calculating authorizations

* * fix namespace role binding

* * check user authorization in k8s pod exec

* * fix some of the logging messages

Co-authored-by: yi-portainer <yi.chen@portainer.io>
2020-11-26 11:30:36 +13:00
Chaim Lev-Ari
9a16af37af fix(router): block route if license is invalid (#90)
* feat(router): add transition guard for init route

* feat(router): check if license is valid between routes

* style(app): change order of config and run

* feat(bouncer): block non admins from using without license

* style(bouncer): add comment about license validation
2020-11-26 09:35:40 +13:00
Chaim Lev-Ari
9dbe6d9474 feat(license): count standalone nodes (#102)
* feat(license): count standalone nodes

* refactor(http/status): return maximum
2020-11-26 09:33:54 +13:00
Stéphane Busso
ab796b6896 chore(license): update license package to manage expiration date (#108) 2020-11-25 17:42:11 +13:00
Alice Groux
fe66252df7 fix(k8s/storageclass): hide disabled storage options for standard users and readonly users (#105) 2020-11-24 14:00:06 +13:00
Yi Chen
8f66414be9 Remove the cache of kcli with edge proxy (#103)
* * removes kube client cache when edge proxy is removed

* + added logging when failed retrieving k8s service account token

* * take out reusable code
2020-11-24 13:26:15 +13:00
cong meng
2378d4cc9d fix(frontend): show failing placement details for endpoint-admin and helpdesk users (#100)
* fix(frontend): show failing placement details for endpoint-admin and helpdesk users

* fix(frontend): add excludeAuthorization directive to determine endpoint-admin and helpdesk users

* fix(k8s/rbac): add OperationK8sApplicationErrorDetailsR authorization for endpoint-admin and helpdesk users

Co-authored-by: Simon Meng <simon.meng@portainer.io>
2020-11-23 21:51:22 +13:00
Chaim Lev-Ari
44fa68407d fix(licenses): prevent removal of last valid license (#89)
* fix(licenses): prevent removal of last valid license

* * add back the logic that prevent the last license been removed, whether valid or not.

* Revert "* add back the logic that prevent the last license been removed, whether valid or not."

This reverts commit 389b5f8985bf543821cab02ad3252d75ef46ccee.

Co-authored-by: yi-portainer <yi.chen@portainer.io>
2020-11-21 16:36:50 +13:00
Stéphane Busso
428ac54b08 fix(license): better error message when login with no valid license (#99)
* fix(license): better error message when login with no valid license

* add authenticateOAuth
2020-11-21 08:37:48 +13:00
Stéphane Busso
d41676ec02 fix(license): update liblicense with invalid message when login 2020-11-20 15:50:56 +13:00
Stéphane Busso
4897f3a87c fix(portainer): Remove the version update notifier on the sidebar in BE (#96) 2020-11-20 15:36:55 +13:00
Stéphane Busso
faa04c188b feat(bolt/backup): backup and restore db for migration and edition upgrades (#87)
* refactor backup

Update upgrade texts

* Restore Failed Upgrade to EE to initial CE version

* Store version before upgrading

* Check rollback command line

* Fix version display

* Update template url only for CE 1.xx

* Fix comments

* revert go modules

* remove duplicate migration

* remove unused files
2020-11-20 12:40:01 +13:00
Maxime Bajeux
2460dfe6dc fix(team): deleting a team throws error object not found in database (#85) 2020-11-19 19:34:04 +13:00
Yi Chen
5829da5560 * update license check url (#86) 2020-11-19 13:35:31 +13:00
Stéphane Busso
60e7875889 feat(bolt): add log packaget (#82) 2020-11-19 11:17:57 +13:00
Alice Groux
0e489aa898 fix(k8s/cluster): update right access to cluster resource panel (#81) 2020-11-19 11:16:20 +13:00
Stéphane Busso
3a6b6cc7a3 feat(bolt): extract services to new file (#83) 2020-11-19 11:09:21 +13:00
Stéphane Busso
59446e1853 fix(portainer): fix couple of comments (#84) 2020-11-19 11:08:37 +13:00
Chaim Lev-Ari
856922f25c chorse(deps): update liblicense (#62) 2020-11-15 22:16:22 +13:00
Chaim Lev-Ari
dc437084f2 feat(ldap): show groups in a better format (#55)
* feat(ldap): show list of groups

* feat(ldap): show only the cn part of the username

* fix(ldap): rename group search button
2020-11-12 09:33:24 +13:00