-
Notifications
You must be signed in to change notification settings - Fork 291
/
grpc_authorization.go
145 lines (129 loc) · 5.98 KB
/
grpc_authorization.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
//
// (C) Copyright 2019-2023 Intel Corporation.
//
// SPDX-License-Identifier: BSD-2-Clause-Patent
//
package security
import (
"github.com/pkg/errors"
"github.com/daos-stack/daos/src/control/build"
)
// Component represents the DAOS component being granted authorization.
type Component int
const (
ComponentUndefined Component = iota
ComponentAdmin
ComponentAgent
ComponentServer
)
func (c Component) String() string {
return [...]string{"undefined", "admin", "agent", "server"}[c]
}
// methodAuthorizations is the map for checking which components are authorized to make the specific method call.
var methodAuthorizations = map[string][]Component{
"/ctl.CtlSvc/StorageScan": {ComponentAdmin},
"/ctl.CtlSvc/StorageFormat": {ComponentAdmin},
"/ctl.CtlSvc/StorageNvmeRebind": {ComponentAdmin},
"/ctl.CtlSvc/StorageNvmeAddDevice": {ComponentAdmin},
"/ctl.CtlSvc/NetworkScan": {ComponentAdmin},
"/ctl.CtlSvc/CollectLog": {ComponentAdmin},
"/ctl.CtlSvc/FirmwareQuery": {ComponentAdmin},
"/ctl.CtlSvc/FirmwareUpdate": {ComponentAdmin},
"/ctl.CtlSvc/SmdQuery": {ComponentAdmin},
"/ctl.CtlSvc/SmdManage": {ComponentAdmin},
"/ctl.CtlSvc/SetEngineLogMasks": {ComponentAdmin},
"/ctl.CtlSvc/PrepShutdownRanks": {ComponentServer},
"/ctl.CtlSvc/StopRanks": {ComponentServer},
"/ctl.CtlSvc/ResetFormatRanks": {ComponentServer},
"/ctl.CtlSvc/StartRanks": {ComponentServer},
"/mgmt.MgmtSvc/Join": {ComponentServer},
"/mgmt.MgmtSvc/ClusterEvent": {ComponentServer},
"/mgmt.MgmtSvc/LeaderQuery": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemQuery": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemErase": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemStart": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemStop": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemExclude": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolCreate": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolDestroy": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolQuery": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolQueryTarget": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolSetProp": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolGetProp": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolGetACL": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolOverwriteACL": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolUpdateACL": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolDeleteACL": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolExclude": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolDrain": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolReintegrate": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolEvict": {ComponentAdmin, ComponentAgent},
"/mgmt.MgmtSvc/PoolExtend": {ComponentAdmin},
"/mgmt.MgmtSvc/GetAttachInfo": {ComponentAgent},
"/mgmt.MgmtSvc/ListPools": {ComponentAdmin},
"/mgmt.MgmtSvc/ListContainers": {ComponentAdmin},
"/mgmt.MgmtSvc/ContSetOwner": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemCleanup": {ComponentAdmin, ComponentAgent},
"/mgmt.MgmtSvc/SystemCheckEnable": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemCheckDisable": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemCheckStart": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemCheckStop": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemCheckQuery": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemCheckSetPolicy": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemCheckGetPolicy": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemCheckRepair": {ComponentAdmin},
"/mgmt.MgmtSvc/FaultInjectReport": {ComponentAdmin},
"/mgmt.MgmtSvc/FaultInjectPoolFault": {ComponentAdmin},
"/mgmt.MgmtSvc/FaultInjectMgmtPoolFault": {ComponentAdmin},
"/mgmt.MgmtSvc/PoolUpgrade": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemSetAttr": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemGetAttr": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemSetProp": {ComponentAdmin},
"/mgmt.MgmtSvc/SystemGetProp": {ComponentAdmin},
"/RaftTransport/AppendEntries": {ComponentServer},
"/RaftTransport/AppendEntriesPipeline": {ComponentServer},
"/RaftTransport/RequestVote": {ComponentServer},
"/RaftTransport/TimeoutNow": {ComponentServer},
"/RaftTransport/InstallSnapshot": {ComponentServer},
}
func methodToComponent(method string, methodAuthorizations map[string][]Component) (build.Component, error) {
comps, found := methodAuthorizations[method]
if !found || len(comps) == 0 {
return build.ComponentAny, errors.Errorf("method %q does not map to a known authorized component", method)
} else if len(comps) > 1 {
// In this case, the caller must explicitly set the component and cannot
// rely on this helper to resolve it.
return build.ComponentAny, errors.Errorf("method %q maps to multiple authorized components", method)
}
return build.Component(comps[0].String()), nil
}
// MethodToComponent resolves a gRPC method string to a build.Component.
func MethodToComponent(method string) (build.Component, error) {
return methodToComponent(method, methodAuthorizations)
}
// HasAccess check if the given component has access to method given in FullMethod
func (c Component) HasAccess(FullMethod string) bool {
compList, ok := methodAuthorizations[FullMethod]
if !ok {
return false
}
for _, comp := range compList {
if c == comp {
return true
}
}
return false
}
// CommonNameToComponent returns the correct component based on the CommonName
func CommonNameToComponent(commonname string) Component {
switch {
case commonname == ComponentAdmin.String():
return ComponentAdmin
case commonname == ComponentAgent.String():
return ComponentAgent
case commonname == ComponentServer.String():
return ComponentServer
default:
return ComponentUndefined
}
}