Skip to content

Commit

Permalink
NAS-130331 / 24.10 / Add roles for apps (#14110)
Browse files Browse the repository at this point in the history 
* Define catalog/apps/docker roles

* Add roles for docker and k8s to docker services

* Add roles for catalog service

* Add roles for app service

* Remove CONTAINER_READ role
  • Loading branch information
@sonicaj
sonicaj authored Jul 30, 2024
1 parent d0da3ec commit c13c74d
Show file tree
Hide file tree
Showing 15 changed files with 44 additions and 28 deletions.
6 changes: 3 additions & 3 deletions src/middlewared/middlewared/plugins/apps/app_scale.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ class Config:
namespace = 'app'
cli_namespace = 'app'

@accepts(Str('app_name'))
@accepts(Str('app_name'), roles=['APPS_WRITE'])
@returns()
@job(lock=lambda args: f'app_stop_{args[0]}')
def stop(self, job, app_name):
Expand All @@ -24,7 +24,7 @@ def stop(self, job, app_name):
)
job.set_progress(100, f'Stopped {app_name!r} app')

@accepts(Str('app_name'))
@accepts(Str('app_name'), roles=['APPS_WRITE'])
@returns()
@job(lock=lambda args: f'app_start_{args[0]}')
def start(self, job, app_name):
Expand All @@ -36,7 +36,7 @@ def start(self, job, app_name):
compose_action(app_name, app_config['version'], 'up', force_recreate=True, remove_orphans=True)
job.set_progress(100, f'Started {app_name!r} app')

@accepts(Str('app_name'))
@accepts(Str('app_name'), roles=['APPS_WRITE'])
@returns()
@job(lock=lambda args: f'app_redeploy_{args[0]}')
async def redeploy(self, job, app_name):
Expand Down
3 changes: 2 additions & 1 deletion src/middlewared/middlewared/plugins/apps/crud.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ class Config:
namespace = 'app'
datastore_primary_key_type = 'string'
cli_namespace = 'app'
role_prefix = 'APPS'

ENTRY = Dict(
'app_query',
Expand Down Expand Up @@ -106,7 +107,7 @@ def query(self, app, filters, options):

return filter_list(apps, filters, options)

@accepts(Str('app_name'))
@accepts(Str('app_name'), roles=['APPS_READ'])
@returns(Dict('app_config', additional_attrs=True))
def config(self, app_name):
"""
Expand Down
4 changes: 3 additions & 1 deletion src/middlewared/middlewared/plugins/apps/logs.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,4 +84,6 @@ async def on_finish(self):


def setup(middleware):
middleware.register_event_source('app.container_log_follow', AppContainerLogsFollowTailEventSource)
middleware.register_event_source(
'app.container_log_follow', AppContainerLogsFollowTailEventSource, roles=['APPS_READ']
)
14 changes: 7 additions & 7 deletions src/middlewared/middlewared/plugins/apps/resources.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ class Config:
namespace = 'app'
cli_namespace = 'app'

@accepts()
@accepts(roles=['APPS_READ'])
@returns(List(items=[Ref('certificate_entry')]))
async def certificate_choices(self):
"""
Expand All @@ -23,7 +23,7 @@ async def certificate_choices(self):
{'select': ['name', 'id']}
)

@accepts()
@accepts(roles=['APPS_READ'])
@returns(List(items=[Ref('certificateauthority_entry')]))
async def certificate_authority_choices(self):
"""
Expand All @@ -33,7 +33,7 @@ async def certificate_authority_choices(self):
'certificateauthority.query', [['revoked', '=', False], ['parsed', '=', True]], {'select': ['name', 'id']}
)

@accepts()
@accepts(roles=['APPS_READ'])
@returns(List(items=[Int('used_port')]))
async def used_ports(self):
"""
Expand All @@ -46,7 +46,7 @@ async def used_ports(self):
for host_port in port_entry['host_ports']
})))

@accepts()
@accepts(roles=['APPS_READ'])
@returns(Dict(Str('ip_choice')))
async def ip_choices(self):
"""
Expand All @@ -57,15 +57,15 @@ async def ip_choices(self):
for ip in await self.middleware.call('interface.ip_in_use', {'static': True, 'any': True})
}

@accepts()
@accepts(roles=['APPS_READ'])
@returns(Dict('gpu_choices', additional_attrs=True))
async def gpu_choices(self):
"""
Returns GPU choices which can be used by applications.
"""
return {
gpu['description']: {
k: gpu[k] for k in ('vendor', 'description', 'vendor_specific_config')
gpu['pci_slot']: {
k: gpu[k] for k in ('vendor', 'description', 'vendor_specific_config', 'pci_slot')
}
for gpu in await self.gpu_choices_internal()
if not gpu['error']
Expand Down
5 changes: 3 additions & 2 deletions src/middlewared/middlewared/plugins/apps/rollback.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@ class Config:
'options',
Str('app_version', empty=False, required=True),
Bool('rollback_snapshot', default=True),
)
),
roles=['APPS_WRITE'],
)
@returns(Ref('app_query'))
@job(lock=lambda args: f'app_rollback_{args[0]}')
Expand Down Expand Up @@ -86,7 +87,7 @@ def rollback(self, job, app_name, options):

return self.middleware.call_sync('app.get_instance', app_name)

@accepts(Str('app_name'))
@accepts(Str('app_name'), roles=['APPS_READ'])
@returns(List('rollback_versions', items=[Str('version')]))
def rollback_versions(self, app_name):
"""
Expand Down
6 changes: 4 additions & 2 deletions src/middlewared/middlewared/plugins/apps/upgrade.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ class Config:
'options',
Dict('values', additional_attrs=True, private=True),
Str('app_version', empty=False, default='latest'),
)
),
roles=['APPS_WRITE'],
)
@returns(Ref('app_query'))
@job(lock=lambda args: f'app_upgrade_{args[0]}')
Expand Down Expand Up @@ -91,7 +92,8 @@ def upgrade(self, job, app_name, options):
Dict(
'options',
Str('app_version', empty=False, default='latest'),
)
),
roles=['APPS_READ'],
)
@returns(Dict(
Str('latest_version', description='Latest version available for the app'),
Expand Down
1 change: 1 addition & 0 deletions src/middlewared/middlewared/plugins/catalog/app_version.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ class Config:
'app_version_details',
Str('train', required=True),
),
roles=['CATALOG_READ'],
)
@returns(Dict(
# TODO: Make sure keys here are mapped appropriately
Expand Down
9 changes: 4 additions & 5 deletions src/middlewared/middlewared/plugins/catalog/apps.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ class AppService(Service):
class Config:
cli_namespace = 'app'

@filterable()
@filterable(roles=['CATALOG_READ'])
@filterable_returns(Ref('available_apps'))
async def latest(self, filters, options):
"""
Expand All @@ -22,8 +22,7 @@ async def latest(self, filters, options):
), filters, options
)

# TODO: Roles are missing
@filterable()
@filterable(roles=['CATALOG_READ'])
@filterable_returns(Dict(
'available_apps',
Bool('healthy', required=True),
Expand Down Expand Up @@ -78,15 +77,15 @@ def available(self, filters, options):

return filter_list(results, filters, options)

@accepts()
@accepts(roles=['CATALOG_READ'])
@returns(List(items=[Str('category')]))
async def categories(self):
"""
Retrieve list of valid categories which have associated applications.
"""
return sorted(list(await self.middleware.call('catalog.retrieve_mapped_categories')))

@accepts(Str('app_name'), Str('train'))
@accepts(Str('app_name'), Str('train'), roles=['CATALOG_READ'])
@returns(List(items=[Ref('available_apps')]))
def similar(self, app_name, train):
"""
Expand Down
1 change: 1 addition & 0 deletions src/middlewared/middlewared/plugins/catalog/apps_details.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ def cached(self, label):
Bool('retrieve_all_trains', default=True),
List('trains', items=[Str('train_name')]),
),
roles=['CATALOG_READ']
)
@returns(Dict(
'trains',
Expand Down
2 changes: 1 addition & 1 deletion src/middlewared/middlewared/plugins/catalog/sync.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ class CatalogService(Service):
async def synced(self):
return self.SYNCED

@accepts()
@accepts(roles=['CATALOG_WRITE'])
@returns()
@job(lock='official_catalog_sync')
async def sync(self, job):
Expand Down
1 change: 1 addition & 0 deletions src/middlewared/middlewared/plugins/catalog/update.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ class Config:
datastore_primary_key_type = 'string'
cli_namespace = 'app.catalog'
namespace = 'catalog'
role_prefix = 'CATALOG'

ENTRY = Dict(
'catalog_create',
Expand Down
3 changes: 2 additions & 1 deletion src/middlewared/middlewared/plugins/docker/update.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ class Config:
datastore = 'services.docker'
datastore_extend = 'docker.config_extend'
cli_namespace = 'app.docker'
role_prefix = 'DOCKER'

ENTRY = Dict(
'docker_entry',
Expand Down Expand Up @@ -65,7 +66,7 @@ async def do_update(self, job, data):

return await self.config()

@accepts()
@accepts(roles=['DOCKER_READ'])
@returns(Dict(
Str('status', enum=[e.value for e in Status]),
Str('description'),
Expand Down
2 changes: 1 addition & 1 deletion src/middlewared/middlewared/plugins/kubernetes_to_docker/list_k8s_backups.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ class Config:
namespace = 'k8s_to_docker'
cli_namespace = 'k8s_to_docker'

@accepts(Str('kubernetes_pool'))
@accepts(Str('kubernetes_pool'), roles=['DOCKER_READ'])
@returns(Dict(
'backups',
Str('error', null=True),
Expand Down
3 changes: 2 additions & 1 deletion src/middlewared/middlewared/plugins/kubernetes_to_docker/migrate.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ class Config:
Dict(
'options',
Str('backup_name', required=True, empty=False),
)
),
roles=['DOCKER_WRITE']
)
@returns(List(
'app_migration_details',
Expand Down
12 changes: 9 additions & 3 deletions src/middlewared/middlewared/role.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
from dataclasses import dataclass, field
import typing


@dataclass()
class Role:
"""
Expand Down Expand Up @@ -93,6 +94,14 @@ class Role:
'CERTIFICATE_AUTHORITY_READ': Role(),
'CERTIFICATE_AUTHORITY_WRITE': Role(includes=['CERTIFICATE_AUTHORITY_READ']),

# Apps roles
'CATALOG_READ': Role(),
'CATALOG_WRITE': Role(includes=['CATALOG_READ']),
'DOCKER_READ': Role(includes=[]),
'DOCKER_WRITE': Role(includes=['DOCKER_READ']),
'APPS_READ': Role(includes=['CATALOG_READ']),
'APPS_WRITE': Role(includes=['CATALOG_WRITE', 'APPS_READ']),

# iSCSI roles
'SHARING_ISCSI_AUTH_READ': Role(),
'SHARING_ISCSI_AUTH_WRITE': Role(includes=['SHARING_ISCSI_AUTH_READ']),
Expand Down Expand Up @@ -170,9 +179,6 @@ class Role:
'FILESYSTEM_ATTRS_WRITE',
'SERVICE_READ'],
builtin=False),
# Apps roles
'CATALOG_READ': Role(),
'CATALOG_WRITE': Role(includes=['CATALOG_READ']),

# System settings
'SYSTEM_GENERAL_READ': Role(),
Expand Down

0 comments on commit c13c74d

Please sign in to comment.