Merge pull request #1826 from HubSpot/read_auth_for_slaves

Only require read authorization to view list of slaves
HubSpot · Aug 7, 2018 · 6c20ed2 · 6c20ed2
2 parents 4c119da + 9387aca
commit 6c20ed2
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 6 deletions.
diff --git a/...ityService/src/main/java/com/hubspot/singularity/auth/SingularityAuthorizationHelper.java b/...ityService/src/main/java/com/hubspot/singularity/auth/SingularityAuthorizationHelper.java
@@ -82,6 +82,24 @@ public void checkAdminAuthorization(SingularityUser user) {
     }
   }
 
+  public void checkReadAuthorization(SingularityUser user) {
+    if (authEnabled) {
+      checkForbidden(user.isAuthenticated(), "Not Authenticated!");
+      if (!adminGroups.isEmpty()) {
+        final Set<String> userGroups = user.getGroups();
+        final boolean userIsAdmin = !adminGroups.isEmpty() && groupsIntersect(userGroups, adminGroups);
+        final boolean userIsJITA = !jitaGroups.isEmpty() && groupsIntersect(userGroups, jitaGroups);
+        final boolean userIsReadOnlyUser = !globalReadOnlyGroups.isEmpty() && groupsIntersect(userGroups, globalReadOnlyGroups);
+        final boolean userIsPartOfRequiredGroups = requiredGroups.isEmpty() || groupsIntersect(userGroups, requiredGroups);
+        if (!userIsAdmin) {
+          checkForbidden(
+              (userIsJITA || userIsReadOnlyUser) && userIsPartOfRequiredGroups,
+              "%s must be part of one or more read only or jita groups: %s,%s", user.getId(), JavaUtils.COMMA_JOINER.join(jitaGroups), JavaUtils.COMMA_JOINER.join(globalReadOnlyGroups));
+        }
+      }
+    }
+  }
+
   public void checkForAuthorizationByTaskId(String taskId, SingularityUser user, SingularityAuthorizationScope scope) {
     if (authEnabled) {
       checkForbidden(user.isAuthenticated(), "Not Authenticated!");

diff --git a/...arityService/src/main/java/com/hubspot/singularity/resources/AbstractMachineResource.java b/...arityService/src/main/java/com/hubspot/singularity/resources/AbstractMachineResource.java
@@ -45,7 +45,7 @@ protected void cancelExpiring(String objectId, SingularityUser user) {
   }
 
   protected List<SingularityExpiringMachineState> getExpiringStateChanges(SingularityUser user) {
-    authorizationHelper.checkAdminAuthorization(user);
+    authorizationHelper.checkReadAuthorization(user);
     return manager.getExpiringObjects();
   }
 

diff --git a/SingularityService/src/main/java/com/hubspot/singularity/resources/RackResource.java b/SingularityService/src/main/java/com/hubspot/singularity/resources/RackResource.java
@@ -55,7 +55,7 @@ protected String getObjectTypeString() {
   public List<SingularityRack> getRacks(
       @Parameter(hidden = true) @Auth SingularityUser user,
       @Parameter(description = "Optionally specify a particular state to filter racks by") @QueryParam("state") Optional<MachineState> filterState) {
-    authorizationHelper.checkAdminAuthorization(user);
+    authorizationHelper.checkReadAuthorization(user);
     return manager.getObjectsFiltered(filterState);
   }
 
@@ -65,7 +65,7 @@ public List<SingularityRack> getRacks(
   public List<SingularityMachineStateHistoryUpdate> getRackHistory(
       @Parameter(hidden = true) @Auth SingularityUser user,
       @Parameter(required = true, description = "Rack ID") @PathParam("rackId") String rackId) {
-    authorizationHelper.checkAdminAuthorization(user);
+    authorizationHelper.checkReadAuthorization(user);
     return manager.getHistory(rackId);
   }
 

diff --git a/SingularityService/src/main/java/com/hubspot/singularity/resources/SlaveResource.java b/SingularityService/src/main/java/com/hubspot/singularity/resources/SlaveResource.java
@@ -55,7 +55,7 @@ protected String getObjectTypeString() {
   public List<SingularitySlave> getSlaves(
       @Parameter(hidden = true) @Auth SingularityUser user,
       @Parameter(description = "Optionally specify a particular state to filter slaves by") @QueryParam("state") Optional<MachineState> filterState) {
-    authorizationHelper.checkAdminAuthorization(user);
+    authorizationHelper.checkReadAuthorization(user);
     return manager.getObjectsFiltered(filterState);
   }
 
@@ -65,7 +65,7 @@ public List<SingularitySlave> getSlaves(
   public List<SingularityMachineStateHistoryUpdate> getSlaveHistory(
       @Parameter(hidden = true) @Auth SingularityUser user,
       @Parameter(required = true, description = "Slave ID") @PathParam("slaveId") String slaveId) {
-    authorizationHelper.checkAdminAuthorization(user);
+    authorizationHelper.checkReadAuthorization(user);
     return manager.getHistory(slaveId);
   }
 
@@ -75,7 +75,7 @@ public List<SingularityMachineStateHistoryUpdate> getSlaveHistory(
   public Optional<SingularitySlave> getSlave(
       @Parameter(hidden = true) @Auth SingularityUser user,
       @Parameter(required = true, description = "Slave ID") @PathParam("slaveId") String slaveId) {
-    authorizationHelper.checkAdminAuthorization(user);
+    authorizationHelper.checkReadAuthorization(user);
     return manager.getObject(slaveId);
   }