1c938516ee
* feat(docker) EE-131 relocate the Docker features/security settings to be available per endpoint * feat(docker) EE-131 allow endpoint admin role user to update endpoint settings * feat(docker) EE-131 populate volume browsing authorizations to user endpoint authorizations when user toggle the setting of volume management for non-administrators * feat(docker) EE-131 remove parameter volumeBrowsingAuthorizations from all DefaultEndpointAuthorizationsForxxx functions * feat(docker) EE-131 fix a layout bug of the browse button * feat(ACI): EE-273 move migrator of 27 into migrate_dbversion26.go * feat(docker) EE-131 in container creation view, show the privileged mode toggle if cureent user is admin or endpoint admin Co-authored-by: Simon Meng <simon.meng@portainer.io>
77 lines
2.6 KiB
Go
77 lines
2.6 KiB
Go
package migrator
|
|
|
|
import (
|
|
portainer "github.com/portainer/portainer/api"
|
|
"github.com/portainer/portainer/api/internal/authorization"
|
|
)
|
|
|
|
func (m *Migrator) updateEndpointSettingsToDB26() error {
|
|
settings, err := m.settingsService.Settings()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
endpoints, err := m.endpointService.Endpoints()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
for i := range endpoints {
|
|
endpoint := endpoints[i]
|
|
|
|
securitySettings := portainer.EndpointSecuritySettings{}
|
|
|
|
if endpoint.Type == portainer.EdgeAgentOnDockerEnvironment ||
|
|
endpoint.Type == portainer.AgentOnDockerEnvironment ||
|
|
endpoint.Type == portainer.DockerEnvironment {
|
|
|
|
securitySettings = portainer.EndpointSecuritySettings{
|
|
AllowBindMountsForRegularUsers: settings.AllowBindMountsForRegularUsers,
|
|
AllowContainerCapabilitiesForRegularUsers: settings.AllowContainerCapabilitiesForRegularUsers,
|
|
AllowDeviceMappingForRegularUsers: settings.AllowDeviceMappingForRegularUsers,
|
|
AllowHostNamespaceForRegularUsers: settings.AllowHostNamespaceForRegularUsers,
|
|
AllowPrivilegedModeForRegularUsers: settings.AllowPrivilegedModeForRegularUsers,
|
|
AllowStackManagementForRegularUsers: settings.AllowStackManagementForRegularUsers,
|
|
}
|
|
|
|
if endpoint.Type == portainer.AgentOnDockerEnvironment || endpoint.Type == portainer.EdgeAgentOnDockerEnvironment {
|
|
securitySettings.AllowVolumeBrowserForRegularUsers = settings.AllowVolumeBrowserForRegularUsers
|
|
securitySettings.EnableHostManagementFeatures = settings.EnableHostManagementFeatures
|
|
}
|
|
}
|
|
|
|
endpoint.SecuritySettings = securitySettings
|
|
|
|
err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (m *Migrator) updateRbacRolesToDB26() error {
|
|
defaultAuthorizationsOfRoles := map[portainer.RoleID]portainer.Authorizations{
|
|
portainer.RoleIDEndpointAdmin: authorization.DefaultEndpointAuthorizationsForEndpointAdministratorRole(),
|
|
portainer.RoleIDHelpdesk: authorization.DefaultEndpointAuthorizationsForHelpDeskRole(),
|
|
portainer.RoleIDStandardUser: authorization.DefaultEndpointAuthorizationsForStandardUserRole(),
|
|
portainer.RoleIDReadonly: authorization.DefaultEndpointAuthorizationsForReadOnlyUserRole(),
|
|
}
|
|
|
|
for roleID, defaultAuthorizations := range defaultAuthorizationsOfRoles {
|
|
role, err := m.roleService.Role(roleID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
role.Authorizations = defaultAuthorizations
|
|
|
|
err = m.roleService.UpdateRole(role.ID, role)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
return m.authorizationService.UpdateUsersAuthorizations()
|
|
}
|