Skip to content

Commit 018b969

Browse files
Shivam-nagar23Shivam-nagar23
committed
catalog
1 parent db76d6e commit 018b969

File tree

2 files changed

+17
-2
lines changed

2 files changed

+17
-2
lines changed

api/cluster/ClusterRestHandler.go

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -477,7 +477,8 @@ func (impl ClusterRestHandlerImpl) UpdateClusterDescription(w http.ResponseWrite
477477
return
478478
}
479479
// RBAC enforcer applying
480-
if ok := impl.enforcer.Enforce(token, casbin.ResourceCluster, casbin.ActionUpdate, clusterDescription.ClusterName); !ok {
480+
authenticated := impl.clusterRbacService.CheckAuthorisationForAllK8sPermissions(token, clusterDescription.ClusterName, casbin.ActionUpdate)
481+
if !authenticated {
481482
common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
482483
return
483484
}
@@ -521,7 +522,8 @@ func (impl ClusterRestHandlerImpl) UpdateClusterNote(w http.ResponseWriter, r *h
521522
return
522523
}
523524
// RBAC enforcer applying
524-
if ok := impl.enforcer.Enforce(token, casbin.ResourceCluster, casbin.ActionUpdate, clusterDescription.ClusterName); !ok {
525+
authenticated := impl.clusterRbacService.CheckAuthorisationForAllK8sPermissions(token, clusterDescription.ClusterName, casbin.ActionUpdate)
526+
if !authenticated {
525527
common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
526528
return
527529
}

pkg/cluster/rbac/ClusterRbacService.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,12 @@ package rbac
1818

1919
import (
2020
"errors"
21+
"github.com/devtron-labs/common-lib/utils/k8s"
2122
"github.com/devtron-labs/devtron/pkg/cluster"
2223
"github.com/devtron-labs/devtron/pkg/cluster/environment"
24+
"github.com/devtron-labs/devtron/pkg/k8s/application/bean"
2325
"github.com/devtron-labs/devtron/util/rbac"
26+
"k8s.io/apimachinery/pkg/runtime/schema"
2427
"strings"
2528

2629
"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
@@ -32,6 +35,7 @@ type ClusterRbacService interface {
3235
CheckAuthorization(clusterName string, clusterId int, token string, userId int32, rbacForClusterMappingsAlso bool) (bool, error)
3336
CheckAuthorisationForNode(token string, clusterName string, nodeName string, action string) (authenticated bool)
3437
CheckAuthorisationForNodeWithClusterId(token string, clusterId int, nodeName string, action string) (authenticated bool, err error)
38+
CheckAuthorisationForAllK8sPermissions(token string, clusterName string, action string) bool
3539
}
3640

3741
type ClusterRbacServiceImpl struct {
@@ -139,3 +143,12 @@ func (impl *ClusterRbacServiceImpl) FetchAllowedClusterMap(userId int32) (map[st
139143
return allowedClustersMap, err
140144

141145
}
146+
147+
func (impl *ClusterRbacServiceImpl) CheckAuthorisationForAllK8sPermissions(token string, clusterName string, action string) (b2 bool) {
148+
resource, object := impl.enforcerUtil.GetRBACNameForClusterEntity(clusterName, k8s.ResourceIdentifier{
149+
Name: bean.ALL,
150+
Namespace: bean.ALL,
151+
GroupVersionKind: schema.GroupVersionKind{Group: bean.ALL, Kind: bean.ALL},
152+
})
153+
return impl.enforcer.Enforce(token, strings.ToLower(resource), action, object)
154+
}

0 commit comments

Comments
 (0)