Project

General

Profile

Bug #25094

mgr/dashboard: Only list tasks that user is authorized to see

Added by Ricardo Marques 9 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
dashboard/general
Target version:
Start date:
07/25/2018
Due date:
% Done:

100%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

Currently all tasks are displayed, regardless of user permissions.

In the following example, user is only allowed to manage pool, but he can see an RBD task:

task-permissions.png View (15.6 KB) Ricardo Marques, 07/25/2018 10:10 AM

recent notifications.png View - View from a read-only user (22.6 KB) Tina Kallio, 11/23/2018 12:01 PM


Related issues

Related to mgr - Bug #36328: Roles: issues Duplicate 10/05/2018

History

#1 Updated by Ricardo Marques 7 months ago

#2 Updated by Ricardo Dias 6 months ago

To fix the bug described in this issue we need to dynamically verify the user permissions and filter the task list accordingly.
We already preform dynamic checks of user permissions in other controllers, such as in "controllers/summary.py" or in "controllers/dashboard.py".

Each task has always a name, usually of the form "component/action" (e.g., "rbd/create", "pool/delete"). We can use the component name, and action name, to decide which security scope and kind of permission to use for querying the user permissions. For instance, for the task with the "rbd/create" name we should only include it the tasks list if the condition "self._has_permissions(Permission.CREATE, Scope.RBD_IMAGE)" is true.

#3 Updated by Tina Kallio 6 months ago

  • Assignee set to Tina Kallio

#4 Updated by Tina Kallio 5 months ago

Changes made to filter out task according to permission in task-list works.

However, if a user (regardless of permissions) log in to the same browser after another user, all events listed in "Recent notifications" from previous user are displayed. This includes but is not limited to finished tasks, see image. Note! This is not a problem when using a new browser.

Suggested to be treated seperatly, issue created:

https://tracker.ceph.com/issues/37379

#5 Updated by Tina Kallio 5 months ago

  • Status changed from In Progress to Need Review

#6 Updated by Tatjana Dehler 5 months ago

  • Pull request ID set to 25426

#7 Updated by Lenz Grimmer 3 months ago

  • Status changed from Need Review to Resolved
  • Target version set to v14.0.0

#8 Updated by Tina Kallio 3 months ago

  • % Done changed from 80 to 100

Also available in: Atom PDF