Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-07-24 15:59:41 +02:00
Code Issues Releases Activity

feat(settings): add setting to disable device mapping for regular users (#4099)

Browse source 
* feat(settings): add setting to disable device mapping for regular users

* feat(settings): introduce device mapping service

* feat(containers): hide devices field when setting is on

* feat(containers): prevent passing of devices when not allowed

* feat(stacks): prevent non admin from device mapping

* feat(stacks): disallow swarm stack creation for user

* refactor(settings): replace disableDeviceMapping with allow

* fix(stacks): remove check for disable device mappings from swarm

* feat(settings): rename field to disable

* feat(settings): supply default value for disableDeviceMapping

* feat(container): check for endpoint admin

* style(server): sort imports
This commit is contained in:
Chaim Lev-Ari 2020-07-27 00:31:14 +03:00 committed by GitHub
parent 2bc6b2dff7
commit 07efd4bdda
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 71 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

13
api/http/proxy/factory/docker/containers.go
View file

@ -158,8 +158,9 @@ func containerHasBlackListedLabel(containerLabels map[string]interface{}, labelB
func (transport *Transport) decorateContainerCreationOperation(request *http.Request, resourceIdentifierAttribute string, resourceType portainer.ResourceControlType) (*http.Response, error) {
type PartialContainer struct {
HostConfig struct {
Privileged bool `json:"Privileged"`
PidMode string `json:"PidMode"`
Privileged bool `json:"Privileged"`
PidMode string `json:"PidMode"`
Devices []interface{} `json:"Devices"`
} `json:"HostConfig"`
}
@ -188,7 +189,9 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req
endpointResourceAccess = true
}
if (rbacExtension != nil && !endpointResourceAccess && tokenData.Role != portainer.AdministratorRole) || (rbacExtension == nil && tokenData.Role != portainer.AdministratorRole) {
isAdmin := (rbacExtension != nil && endpointResourceAccess) || tokenData.Role == portainer.AdministratorRole
if !isAdmin {
settings, err := transport.dataStore.Settings().Settings()
if err != nil {
return nil, err
@ -213,6 +216,10 @@ func (transport *Transport) decorateContainerCreationOperation(request *http.Req
return forbiddenResponse, errors.New("forbidden to use pid host namespace")
}
if !settings.AllowDeviceMappingForRegularUsers && len(partialContainer.HostConfig.Devices) > 0 {
return nil, errors.New("forbidden to use device mapping")
}
request.Body = ioutil.NopCloser(bytes.NewBuffer(body))
}