* feat(rbac): EE-226 Add a new RBAC "Operator" Role
* feat(rbac): EE-226 prioritize Operator after EndpointAdmin and before Helpdesk
* feat(rbac): EE-226 access viewer shows incorrect effective role after introduce of Operator
* feat(rbac): EE-226 show roles order by priority other than name
* feat(rbac): EE-226 remove OperationK8sVolumeDetailsW authorization from operator role
* feat(rbac): EE-226 always increase bucket next sequence when create a role
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* feat(docker) EE-131 relocate the Docker features/security settings to be available per endpoint
* feat(docker) EE-131 allow endpoint admin role user to update endpoint settings
* feat(docker) EE-131 populate volume browsing authorizations to user endpoint authorizations when user toggle the setting of volume management for non-administrators
* feat(docker) EE-131 remove parameter volumeBrowsingAuthorizations from all DefaultEndpointAuthorizationsForxxx functions
* feat(docker) EE-131 fix a layout bug of the browse button
* feat(ACI): EE-273 move migrator of 27 into migrate_dbversion26.go
* feat(docker) EE-131 in container creation view, show the privileged mode toggle if cureent user is admin or endpoint admin
Co-authored-by: Simon Meng <simon.meng@portainer.io>
* refactor backup
Update upgrade texts
* Restore Failed Upgrade to EE to initial CE version
* Store version before upgrading
* Check rollback command line
* Fix version display
* Update template url only for CE 1.xx
* Fix comments
* revert go modules
* remove duplicate migration
* remove unused files
* feat(ldap): move urls to url
* feat(ldap): test a few connections
* feat(ldap): update urls
* feat(settings-auth): support array of ldap urls
* feat(settings-auth): support list of urls
* feat(auth): add explanation about server urls
* feat(bolt): add url to urls only if needed
* fix(settings): add nil guards
* fix(settings): set inital value for ldap urls
* feat(settings): prevent the deletion of the first url
* feat(core/settings): minor UI update
* feat(authentication): check that ldap settings are valid
* feat(bolt): create migration for settings
* fix(settings): add wrapping
* feat(ldap): disable submit button only on ldap
Co-authored-by: Anthony Lapenna <lapenna.anthony@gmail.com>
* refactor(rbac): move client extension code
* feat(app): remove checks for extension
* feat(rbac): remove checks for extensions
* feat(extensions): remove reference to rbac extensions
* feat(roles): add changes from codebase before removal of rbac
* refactor(security): remove rbac service
* refactor(security): use AdminAccess as an alias
* fix(access): rename policies type
* style(security): add comment about Aliasing AdminAccess to RestrictedAccess
* feat(bolt): add auth migration from ce to ee
* feat(stacks): use authorized access to stop/start stacks
* fix(bolt): supply right params to migrator
* feat(rbac): get authorization on client side
* feat(settings): introduce settings to allow/disable
* feat(settings): update the setting
* feat(docker): prevent user from using caps if disabled
* refactor(stacks): revert file
* style(api): remove portainer ns
* feat(stacks): add a setting to disable the creation of stacks for non-admin users
* feat(settings): introduce a setting to prevent non-admin from stack creation
* feat(settings): update stack creation setting
* feat(settings): fail stack creation if user is non admin
* fix(settings): save preventStackCreation setting to state
* feat(stacks): disable add button when settings is enabled
* format(stacks): remove line
* feat(stacks): setting to hide stacks from users
* feat(settings): rename disable stacks setting
* refactor(settings): rename setting to disableStackManagementForRegularUsers
* feat(settings): hide stacks for non admin when settings is set
* refactor(settings): replace disableDeviceMapping with allow
* feat(dashboard): hide stacks if settings disabled and non admin
* refactor(sidebar): check if user is endpoint admin
* feat(settings): set the default value for stack management
* feat(settings): rename field label
* fix(sidebar): refresh show stacks state
* fix(docker): hide stacks when not admin
* feat(settings): add setting to disable device mapping for regular users
* feat(settings): introduce device mapping service
* feat(containers): hide devices field when setting is on
* feat(containers): prevent passing of devices when not allowed
* feat(stacks): prevent non admin from device mapping
* feat(stacks): disallow swarm stack creation for user
* refactor(settings): replace disableDeviceMapping with allow
* fix(stacks): remove check for disable device mappings from swarm
* feat(settings): rename field to disable
* feat(settings): supply default value for disableDeviceMapping
* feat(container): check for endpoint admin
* style(server): sort imports
* feat(containers): prevent non-admin users from running containers using the host namespace pid (#3970)
* feat(containers): Prevent non-admin users from running containers using the host namespace pid
* feat(containers): add rbac check for swarm stack too
* feat(containers): remove forgotten conflict
* feat(containers): init EnableHostNamespaceUse to true and return 403 on forbidden action
* feat(containers): change enableHostNamespaceUse to restrictHostNamespaceUse in html
* feat(settings): rename EnableHostNamespaceUse to AllowHostNamespaceForRegularUsers
* feat(database): trigger migration for AllowHostNamespace
* feat(containers): check container creation authorization
Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>
* feat(auth): introduce new timeout constant
* feat(auth): pass timeout from handler
* feat(auth): add timeout selector to auth settings view
* feat(settings): add user session timeout property
* feat(auth): load user session timeout from settings
* fix(settings): use correct time format
* feat(auth): remove no-auth flag
* refactor(auth): move timeout mgmt to jwt service
* refactor(client): remove no-auth checks from client
* refactor(cli): remove defaultNoAuth
* feat(settings): create settings with default user timeout value
* refactor(db): save user session timeout always
* refactor(jwt): return error
* feat(auth): set session timeout in jwt service on update
* feat(auth): add description and time settings
* feat(auth): parse duration
* feat(settings): validate user timeout format
* refactor(settings): remove unneccesary import
* refactor(tags): replace tags with tag ids
* refactor(tags): revert tags to be strings and add tagids
* refactor(tags): enable search by tag in home view
* refactor(tags): show endpoint tags
* refactor(endpoints): expect tagIds on create payload
* refactor(endpoints): expect tagIds on update payload
* refactor(endpoints): replace TagIds to TagIDs
* refactor(endpoints): set endpoint group to get TagIDs
* refactor(endpoints): refactor tag-selector to receive tag-ids
* refactor(endpoints): show tags in multi-endpoint-selector
* chore(tags): revert reformat
* refactor(endpoints): remove unneeded bind
* refactor(endpoints): change param tags to tagids in endpoint create
* refactor(endpoints): remove console.log
* refactor(tags): remove deleted tag from endpoint and endpoint group
* fix(endpoints): show loading label while loading tags
* chore(go): remove obsolete import labels
* chore(db): add db version comment
* fix(db): add tag service to migrator
* refactor(db): add error checks in migrator
* style(db): sort props in alphabetical order
* style(tags): fix typo
Co-Authored-By: Anthony Lapenna <anthony.lapenna@portainer.io>
* refactor(endpoints): replace tagsMap with tag string representation
* refactor(tags): rewrite tag delete to be more readable
* refactor(home): rearange code to match former style
* refactor(tags): guard against missing model in tag-selector
* refactor(tags): rename vars in tag_delete
* refactor(tags): allow any authenticated user to fetch tag list
* refactor(endpoints): replace controller function with class
* refactor(endpoints): replace function with helper
* refactor(endpoints): replace controller with class
* refactor(tags): revert tags-selector to use 1 way bindings
* refactor(endpoints): load empty tag array instead of nil
* refactor(endpoints): revert default tag ids
* refactor(endpoints): use function in place
* refactor(tags): use lodash
* style(tags): use parens in arrow functions
* fix(tags): remove tag from tag model
Co-authored-by: Anthony Lapenna <anthony.lapenna@portainer.io>