From 0026be2ceec9edbc6b8f500aa10acba15ffb1a78 Mon Sep 17 00:00:00 2001 From: Stephen Salinas Date: Tue, 31 Jul 2018 09:42:01 -0400 Subject: [PATCH 1/2] Only require read authorization to view list of slaves --- .../auth/SingularityAuthorizationHelper.java | 18 ++++++++++++++++++ .../resources/AbstractMachineResource.java | 2 +- .../singularity/resources/RackResource.java | 4 ++-- .../singularity/resources/SlaveResource.java | 6 +++--- 4 files changed, 24 insertions(+), 6 deletions(-) diff --git a/SingularityService/src/main/java/com/hubspot/singularity/auth/SingularityAuthorizationHelper.java b/SingularityService/src/main/java/com/hubspot/singularity/auth/SingularityAuthorizationHelper.java index b8960e1071..69dedeeaec 100644 --- a/SingularityService/src/main/java/com/hubspot/singularity/auth/SingularityAuthorizationHelper.java +++ b/SingularityService/src/main/java/com/hubspot/singularity/auth/SingularityAuthorizationHelper.java @@ -82,6 +82,24 @@ public void checkAdminAuthorization(SingularityUser user) { } } + public void checkReadAuthorization(SingularityUser user) { + if (authEnabled) { + checkForbidden(user.isAuthenticated(), "Not Authenticated!"); + if (!adminGroups.isEmpty()) { + final Set userGroups = user.getGroups(); + final boolean userIsAdmin = !adminGroups.isEmpty() && groupsIntersect(userGroups, adminGroups); + final boolean userIsJITA = !jitaGroups.isEmpty() && groupsIntersect(userGroups, jitaGroups); + final boolean userIsReadOnlyUser = (!globalReadOnlyGroups.isEmpty() && groupsIntersect(userGroups, globalReadOnlyGroups)); + final boolean userIsPartOfRequiredGroups = requiredGroups.isEmpty() || groupsIntersect(userGroups, requiredGroups); + if (!userIsAdmin) { + checkForbidden( + (userIsJITA || userIsReadOnlyUser) && userIsPartOfRequiredGroups, + "%s must be part of one or more read only or jita groups: %s,%s", user.getId(), JavaUtils.COMMA_JOINER.join(jitaGroups), JavaUtils.COMMA_JOINER.join(globalReadOnlyGroups)); + } + } + } + } + public void checkForAuthorizationByTaskId(String taskId, SingularityUser user, SingularityAuthorizationScope scope) { if (authEnabled) { checkForbidden(user.isAuthenticated(), "Not Authenticated!"); diff --git a/SingularityService/src/main/java/com/hubspot/singularity/resources/AbstractMachineResource.java b/SingularityService/src/main/java/com/hubspot/singularity/resources/AbstractMachineResource.java index 079d3f61a5..60d7083689 100644 --- a/SingularityService/src/main/java/com/hubspot/singularity/resources/AbstractMachineResource.java +++ b/SingularityService/src/main/java/com/hubspot/singularity/resources/AbstractMachineResource.java @@ -45,7 +45,7 @@ protected void cancelExpiring(String objectId, SingularityUser user) { } protected List getExpiringStateChanges(SingularityUser user) { - authorizationHelper.checkAdminAuthorization(user); + authorizationHelper.checkReadAuthorization(user); return manager.getExpiringObjects(); } diff --git a/SingularityService/src/main/java/com/hubspot/singularity/resources/RackResource.java b/SingularityService/src/main/java/com/hubspot/singularity/resources/RackResource.java index ba7141abdd..562038264b 100644 --- a/SingularityService/src/main/java/com/hubspot/singularity/resources/RackResource.java +++ b/SingularityService/src/main/java/com/hubspot/singularity/resources/RackResource.java @@ -55,7 +55,7 @@ protected String getObjectTypeString() { public List getRacks( @Parameter(hidden = true) @Auth SingularityUser user, @Parameter(description = "Optionally specify a particular state to filter racks by") @QueryParam("state") Optional filterState) { - authorizationHelper.checkAdminAuthorization(user); + authorizationHelper.checkReadAuthorization(user); return manager.getObjectsFiltered(filterState); } @@ -65,7 +65,7 @@ public List getRacks( public List getRackHistory( @Parameter(hidden = true) @Auth SingularityUser user, @Parameter(required = true, description = "Rack ID") @PathParam("rackId") String rackId) { - authorizationHelper.checkAdminAuthorization(user); + authorizationHelper.checkReadAuthorization(user); return manager.getHistory(rackId); } diff --git a/SingularityService/src/main/java/com/hubspot/singularity/resources/SlaveResource.java b/SingularityService/src/main/java/com/hubspot/singularity/resources/SlaveResource.java index bbafb52e7d..30c1749e4f 100644 --- a/SingularityService/src/main/java/com/hubspot/singularity/resources/SlaveResource.java +++ b/SingularityService/src/main/java/com/hubspot/singularity/resources/SlaveResource.java @@ -55,7 +55,7 @@ protected String getObjectTypeString() { public List getSlaves( @Parameter(hidden = true) @Auth SingularityUser user, @Parameter(description = "Optionally specify a particular state to filter slaves by") @QueryParam("state") Optional filterState) { - authorizationHelper.checkAdminAuthorization(user); + authorizationHelper.checkReadAuthorization(user); return manager.getObjectsFiltered(filterState); } @@ -65,7 +65,7 @@ public List getSlaves( public List getSlaveHistory( @Parameter(hidden = true) @Auth SingularityUser user, @Parameter(required = true, description = "Slave ID") @PathParam("slaveId") String slaveId) { - authorizationHelper.checkAdminAuthorization(user); + authorizationHelper.checkReadAuthorization(user); return manager.getHistory(slaveId); } @@ -75,7 +75,7 @@ public List getSlaveHistory( public Optional getSlave( @Parameter(hidden = true) @Auth SingularityUser user, @Parameter(required = true, description = "Slave ID") @PathParam("slaveId") String slaveId) { - authorizationHelper.checkAdminAuthorization(user); + authorizationHelper.checkReadAuthorization(user); return manager.getObject(slaveId); } From 9387aca08cc78930abd91b85f475bc81d244efe9 Mon Sep 17 00:00:00 2001 From: Stephen Salinas Date: Tue, 31 Jul 2018 09:52:16 -0400 Subject: [PATCH 2/2] rm extra parens --- .../singularity/auth/SingularityAuthorizationHelper.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SingularityService/src/main/java/com/hubspot/singularity/auth/SingularityAuthorizationHelper.java b/SingularityService/src/main/java/com/hubspot/singularity/auth/SingularityAuthorizationHelper.java index 69dedeeaec..996860fec0 100644 --- a/SingularityService/src/main/java/com/hubspot/singularity/auth/SingularityAuthorizationHelper.java +++ b/SingularityService/src/main/java/com/hubspot/singularity/auth/SingularityAuthorizationHelper.java @@ -89,7 +89,7 @@ public void checkReadAuthorization(SingularityUser user) { final Set userGroups = user.getGroups(); final boolean userIsAdmin = !adminGroups.isEmpty() && groupsIntersect(userGroups, adminGroups); final boolean userIsJITA = !jitaGroups.isEmpty() && groupsIntersect(userGroups, jitaGroups); - final boolean userIsReadOnlyUser = (!globalReadOnlyGroups.isEmpty() && groupsIntersect(userGroups, globalReadOnlyGroups)); + final boolean userIsReadOnlyUser = !globalReadOnlyGroups.isEmpty() && groupsIntersect(userGroups, globalReadOnlyGroups); final boolean userIsPartOfRequiredGroups = requiredGroups.isEmpty() || groupsIntersect(userGroups, requiredGroups); if (!userIsAdmin) { checkForbidden(