Commit Graph

20 Commits

Author SHA1 Message Date
cong meng
6eb3dfd3c2 feat(ACI): EE-261 Add RBAC to ACI (#226)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-04-09 02:20:33 +02:00
cong meng
edb05e6e00 feat(ACI): EE-273 add UAC to ACI (#222)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-04-08 10:46:04 +12:00
cong meng
f9cf76234f feat(rbac): EE-226 Add a new RBAC "Operator" Role (#191)
* feat(rbac): EE-226 Add a new RBAC "Operator" Role

* feat(rbac): EE-226 prioritize Operator after EndpointAdmin and before Helpdesk

* feat(rbac): EE-226 access viewer shows incorrect effective role after introduce of Operator

* feat(rbac): EE-226 show roles order by priority other than name

* feat(rbac): EE-226 remove OperationK8sVolumeDetailsW authorization from operator role

* feat(rbac): EE-226 always increase bucket next sequence when create a role

Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-04-06 11:34:54 +12:00
cong meng
1c938516ee Feat(docker): relocate docker features security settings to be available per endpoint EE-131 (#209)
* feat(docker) EE-131 relocate the Docker features/security settings to be available per endpoint

* feat(docker) EE-131 allow endpoint admin role user to update endpoint settings

* feat(docker) EE-131 populate volume browsing authorizations to user endpoint authorizations when user toggle the setting of volume management for non-administrators

* feat(docker) EE-131 remove parameter volumeBrowsingAuthorizations from all DefaultEndpointAuthorizationsForxxx functions

* feat(docker) EE-131 fix a layout bug of the browse button

* feat(ACI): EE-273 move migrator of 27 into migrate_dbversion26.go

* feat(docker) EE-131 in container creation view, show the privileged mode toggle if cureent user is admin or endpoint admin

Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-03-24 23:10:10 +01:00
Chaim Lev-Ari
65028ed96f feat(stacks): scope stack names to endpoint (#4520) (#212)
* refactor(stack): create unique name function

* refactor(stack): change stack resource control id

* feat(stacks): validate stack unique name in endpoint

* feat(stacks): prevent name collision with external stacks

* refactor(stacks): move resource id util

* refactor(stacks): supply resource id util with name and endpoint

* fix(docker): calculate swarm resource id

* feat(stack): prevent migration if stack name already exist

* feat(authorization): use stackutils
2021-03-24 16:40:25 +13:00
cong meng
d618d05ee1 fix(stack): stacks created via API are incorrectly marked as private with no owner (ee#74) (#156)
Co-authored-by: Simon Meng <simon.meng@portainer.io>
2021-02-26 01:16:18 +01:00
Yi Chen
92d597608e fix(RBAC) adding/removing teams into namespace causing error (#129)
* * handle teams been added or removed in the resource pool
* do not delete role bindings but just remove the user subject

* * fix missing rolemap

* * revert the role bindings changes (not the cause of the issue)

* * fix token cache cleaning endpoint tokens
2020-12-02 20:38:09 +13:00
Yi Chen
f6824ce11c - remove rbac debug statements (#126) 2020-12-01 22:37:13 +13:00
Yi Chen
02b1ccd521 fix(RBAC) remove role/cluster role bindings when user is deleted (#120)
* * partially ignore errors during user deletion
* collect all errors during user deletion
* remove role/cluster role bindings when empty

* + update resource pool access endpoint
* remove bindings when user is removed from resource pool
* remove token cache when user is added to the resource pool

* - remove delete tokens endpoint
* use actual TriggerUserAuthUpdate

* * fix comments

* * improve error returns
2020-12-01 11:45:49 +13:00
Yi Chen
d4929f06f8 fix(RBAC) refresh user token when operating on endpoints, namespaces, users, teams and memberships (#117)
* * refresh user auth when operating endpoint, team, user and membership

* + adding delete token endpoint
* remove tokens when auth config map is changed

* feat(rbac): add warning messages in the UI

* feat(endpoint): update access warnings

* * fix delete tokens api url

Co-authored-by: Anthony Lapenna <lapenna.anthony@gmail.com>
2020-11-30 21:15:52 +13:00
Maxime Bajeux
414e62503b fix(rbac): forbidden view access (#101)
* fix(rbac): Not enforcing on backend for resource creation, application edit and console log operations of users that this should be prevented for

* + k8s access user namespaces policy
+ debug logs
* fix multiple authorization calculation issues

* * use endpoint role rather than user role for calculating authorizations

* * fix namespace role binding

* * check user authorization in k8s pod exec

* * fix some of the logging messages

Co-authored-by: yi-portainer <yi.chen@portainer.io>
2020-11-26 11:30:36 +13:00
Alice Groux
fe66252df7 fix(k8s/storageclass): hide disabled storage options for standard users and readonly users (#105) 2020-11-24 14:00:06 +13:00
cong meng
2378d4cc9d fix(frontend): show failing placement details for endpoint-admin and helpdesk users (#100)
* fix(frontend): show failing placement details for endpoint-admin and helpdesk users

* fix(frontend): add excludeAuthorization directive to determine endpoint-admin and helpdesk users

* fix(k8s/rbac): add OperationK8sApplicationErrorDetailsR authorization for endpoint-admin and helpdesk users

Co-authored-by: Simon Meng <simon.meng@portainer.io>
2020-11-23 21:51:22 +13:00
Maxime Bajeux
2460dfe6dc fix(team): deleting a team throws error object not found in database (#85) 2020-11-19 19:34:04 +13:00
Alice Groux
0e489aa898 fix(k8s/cluster): update right access to cluster resource panel (#81) 2020-11-19 11:16:20 +13:00
Yi Chen
2247d8c3a2 (feat)k8s/RBAC: Provide Portainer RBAC functionality for Kubernetes endpoints (#35)
* + endpoint and namespace level authorizations
+ user namespace authorization API
+ k8s client setup service account with k8s roles and policies by portainer role
* User authorization changes refresh token cache
* rbac authorizes k8s requests
* CE to EE migrator to include new authorizations

* code clean up
* comments

* * merge in the RestrictDefaultNamespace changes

* - remove unnecessary check for default namespace

* + updates namespace access policies when generating token

* * updates namespace access policies when querying the user namespace endpoint

* + k8s rule in rbac.go for endpoint access test
+ missing k8s cluster rules for different roles

* feat(rbac): update kube rbac

* feat(rbac): use the authorization directive

* feat(rbac): Update namespace access policies when user/team is deleted

* refactor(app): use new angular-multi-select capabilities

* feat(rbac): fix authorizations

* feat(rbac): fix userAccessPolicies update bug

* feat(rbac): add W applications authorizations

* feat(rbac): add application details W authorizations

* feat(rbac): add configurations W autohorizations

* feat(rbac): add configuration details W authorizations

* feat(rbac): add volumes W authorizations

* feat(rbac): add volume details W authorizations

* feat(rbac): add componentstatus to portainer-view role and add cluster/node authorizations

* fix(rbac): disable application note for non authorized user

* fix(rbac): add endpoints list and components status to portainer-basic

* fix(rbac): allow user to access default namespace when restrict default namespace isn't activated

* fix(rbac): remove default namespace from useraccesspolicies when restrict default namespace isn't activated

* fix(rbac): change some things

* fix(rbac): allow standard user to access container console

* - removed unused parameter

* fix(rbac): fix team authorizations

Co-authored-by: Maxime Bajeux <max.bajeux@gmail.com>
Co-authored-by: xAt0mZ <baron_l@epitech.eu>
2020-11-03 22:08:09 +13:00
Chaim Lev-Ari
8dba19694a feat(roles-management): integrate rbac extension (#6)
* refactor(rbac): move client extension code

* feat(app): remove checks for extension

* feat(rbac): remove checks for extensions

* feat(extensions): remove reference to rbac extensions

* feat(roles): add changes from codebase before removal of rbac

* refactor(security): remove rbac service

* refactor(security): use AdminAccess as an alias

* fix(access): rename policies type

* style(security): add comment about Aliasing AdminAccess to RestrictedAccess

* feat(bolt): add auth migration from ce to ee

* feat(stacks): use authorized access to stop/start stacks

* fix(bolt): supply right params to migrator

* feat(rbac): get authorization on client side
2020-10-07 23:21:14 +13:00
Chaim Lev-Ari
9d18d47194 feat(extensions): remove rbac extension (#4157)
* feat(extensions): remove rbac extension client code

* feat(extensions): remove server rbac code

* remove extensions code

* fix(notifications): remove error

* feat(extensions): remove authorizations service

* feat(rbac): deprecate fields

* fix(portainer): revert change

* fix(bouncer): remove rbac authorization check

* feat(sidebar): remove roles link

* fix(portainer): remove portainer module
2020-08-11 17:41:37 +12:00
Chaim Lev-Ari
53b37ab8c8 feat(custom-templates): introduce custom templates (#3906)
* feat(custom-templates): introduce types

* feat(custom-templates): introduce data layer service

* feat(custom-templates): introduce http handler

* feat(custom-templates): create routes and view stubs

* feat(custom-templates): add create custom template ui

* feat(custom-templates): add json keys

* feat(custom-templates): introduce custom templates list page

* feat(custom-templates): introduce update page

* feat(stack): create template from stack

* feat(stacks): create stack from custom template

* feat(custom-templates): disable edit/delete of templates

* fix(custom-templates): fail update on non admin/owner

* fix(custom-templates): add ng-inject decorator

* chore(plop): revert template

* feat(stacks): remove actions column

* feat(stack): add button to create template from stack

* feat(stacks): add empty state for templates

* feat(custom-templates): show templates in a list

* feat(custom-template): replace table with list

* feat(custom-templates): move create template button

* refactor(custom-templates): introduce more fields

* feat(custom-templates): use stack type when creating template

* feat(custom-templates): use same type as stack

* feat(custom-templates): add edit and delete buttons to template item

* feat(custom-templates): customize stack before deploy

* feat(stack): show template details

* feat(custom-templates): move customize

* feat(custom-templates): create description required

* fix(template): show platform icon

* fix(custom-templates): show spinner when creating stack

* feat(custom-templates): prevent user from edit templates

* feat(custom-templates): use resource control for custom templates

* feat(custom-templates): show created templates

* feat(custom-templates): filter templates by stack type

* fix(custom-templates): create swarm or standalone stack

* feat(stacks): filter templates by type

* feat(resource-control): disable resource control on public

* feat(custom-template): apply access control on edit

* feat(custom-template): add form validation

* feat(stack): disable create custom template from external task

* refactor(custom-templates): create template from file and type

* feat(templates): introduce a file handler that returns template docker file

* feat(template): introduce template duplication

* feat(custom-template): enforce unique template name

* fix(template): rename copy button

* fix(custom-template): clear access control selection between templates

* fix(custom-templates): show required fields

* refactor(filesystem): use a constant for temp path
2020-07-07 11:18:39 +12:00
Chaim Lev-Ari
7c3b83f6e5 refactor(portainer): introduce internal package (#3924)
* refactor(auth): move auth helpers to internal package

* refactor(edge-compute): move edge helpers to internal package

* refactor(tags): move tags helper to internal package

* style(portainer): sort imports
2020-06-16 19:58:16 +12:00