Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-08-02 20:35:25 +02:00
Code Issues Releases Activity

feat(containers): enforce disable bind mounts (#4110)

Browse source 
* feat(containers): enforce disable bind mounts

* refactor(docker): move check for endpoint admin to a function

* feat(docker): check if service has bind mounts

* feat(services): allow bind mounts for endpoint admin

* feat(container): enable bind mounts for endpoint admin

* fix(services): fix typo
This commit is contained in:
Chaim Lev-Ari 2020-07-29 12:10:46 +03:00 committed by GitHub
parent 7539f09f98
commit 93d8c179f1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 132 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

12
app/docker/views/containers/create/createContainerController.js
View file

@ -614,6 +614,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
$scope.isAdmin = Authentication.isAdmin();
$scope.showDeviceMapping = await shouldShowDevices();
$scope.areContainerCapabilitiesEnabled = await checkIfContainerCapabilitiesEnabled();
$scope.isAdminOrEndpointAdmin = await checkIfAdminOrEndpointAdmin();
Volume.query(
{},
@ -678,7 +679,7 @@ angular.module('portainer.docker').controller('CreateContainerController', [
SettingsService.publicSettings()
.then(function success(data) {
$scope.allowBindMounts = data.AllowBindMountsForRegularUsers;
$scope.allowBindMounts = $scope.isAdminOrEndpointAdmin || data.AllowBindMountsForRegularUsers;
$scope.allowPrivilegedMode = data.AllowPrivilegedModeForRegularUsers;
})
.catch(function error(err) {
@ -922,6 +923,15 @@ angular.module('portainer.docker').controller('CreateContainerController', [
return allowContainerCapabilitiesForRegularUsers || isAdminOrEndpointAdmin();
}
async function checkIfAdminOrEndpointAdmin() {
if (Authentication.isAdmin()) {
return true;
}
const rbacEnabled = await ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC);
return rbacEnabled ? Authentication.hasAuthorizations(['EndpointResourcesAccess']) : false;
}
initView();
},
]);

4
app/docker/views/containers/create/createcontainer.html
View file

@ -334,8 +334,8 @@
</div>
<!-- !container-path -->
<!-- volume-type -->
<div class="input-group col-sm-5" style="margin-left: 5px;" ng-if="isAdmin || allowBindMounts">
<div class="btn-group btn-group-sm">
<div class="input-group col-sm-5" style="margin-left: 5px;">
<div class="btn-group btn-group-sm" ng-if="allowBindMounts">
<label class="btn btn-primary" ng-model="volume.type" uib-btn-radio="'volume'" ng-click="volume.name = ''">Volume</label>
<label class="btn btn-primary" ng-model="volume.type" uib-btn-radio="'bind'" ng-click="volume.name = ''">Bind</label>
</div>

27
app/docker/views/services/create/createServiceController.js
View file

@ -33,6 +33,7 @@ angular.module('portainer.docker').controller('CreateServiceController', [
'SettingsService',
'WebhookService',
'EndpointProvider',
'ExtensionService',
function (
$q,
$scope,
@ -58,7 +59,8 @@ angular.module('portainer.docker').controller('CreateServiceController', [
NodeService,
SettingsService,
WebhookService,
EndpointProvider
EndpointProvider,
ExtensionService
) {
$scope.formValues = {
Name: '',
@ -106,6 +108,8 @@ angular.module('portainer.docker').controller('CreateServiceController', [
actionInProgress: false,
};
$scope.allowBindMounts = false;
$scope.refreshSlider = function () {
$timeout(function () {
$scope.$broadcast('rzSliderForceRender');
@ -562,8 +566,8 @@ angular.module('portainer.docker').controller('CreateServiceController', [
secrets: apiVersion >= 1.25 ? SecretService.secrets() : [],
configs: apiVersion >= 1.3 ? ConfigService.configs() : [],
nodes: NodeService.nodes(),
settings: SettingsService.publicSettings(),
availableLoggingDrivers: PluginService.loggingPlugins(apiVersion < 1.25),
allowBindMounts: checkIfAllowedBindMounts(),
})
.then(function success(data) {
$scope.availableVolumes = data.volumes;
@ -572,8 +576,8 @@ angular.module('portainer.docker').controller('CreateServiceController', [
$scope.availableConfigs = data.configs;
$scope.availableLoggingDrivers = data.availableLoggingDrivers;
initSlidersMaxValuesBasedOnNodeData(data.nodes);
$scope.allowBindMounts = data.settings.AllowBindMountsForRegularUsers;
$scope.isAdmin = Authentication.isAdmin();
$scope.allowBindMounts = data.allowBindMounts;
})
.catch(function error(err) {
Notifications.error('Failure', err, 'Unable to initialize view');
@ -581,5 +585,22 @@ angular.module('portainer.docker').controller('CreateServiceController', [
}
initView();
async function checkIfAllowedBindMounts() {
const isAdmin = Authentication.isAdmin();
const settings = await SettingsService.publicSettings();
const { AllowBindMountsForRegularUsers } = settings;
if (isAdmin || AllowBindMountsForRegularUsers) {
return true;
}
const rbacEnabled = await ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC);
if (rbacEnabled) {
return Authentication.hasAuthorizations(['EndpointResourcesAccess']);
}
return false;
}
},
]);

2
app/docker/views/services/create/createservice.html
View file

@ -305,7 +305,7 @@
<!-- !container-path -->
<!-- volume-type -->
<div class="input-group col-sm-5" style="margin-left: 5px;">
<div class="btn-group btn-group-sm" ng-if="isAdmin || allowBindMounts">
<div class="btn-group btn-group-sm" ng-if="allowBindMounts">
<label class="btn btn-primary" ng-model="volume.Type" uib-btn-radio="'volume'" ng-click="volume.name = ''">Volume</label>
<label class="btn btn-primary" ng-model="volume.Type" uib-btn-radio="'bind'" ng-click="volume.Id = ''">Bind</label>
</div>