feat(extensions): remove rbac extension (#4157)

* feat(extensions): remove rbac extension client code * feat(extensions): remove server rbac code * remove extensions code * fix(notifications): remove error * feat(extensions): remove authorizations service * feat(rbac): deprecate fields * fix(portainer): revert change * fix(bouncer): remove rbac authorization check * feat(sidebar): remove roles link * fix(portainer): remove portainer module
2025-08-05 05:45:22 +02:00 · 2020-08-11 08:41:37 +03:00 · 2020-08-11 08:41:37 +03:00 · 9d18d47194
commit 9d18d47194
parent 8629738e34
117 changed files with 98 additions and 3487 deletions
--- a/api/http/proxy/factory/docker/transport.go
+++ b/api/http/proxy/factory/docker/transport.go
@ -12,7 +12,6 @@ import (

 	"github.com/docker/docker/client"
 	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/docker"
 	"github.com/portainer/portainer/api/http/proxy/factory/responseutils"
 	"github.com/portainer/portainer/api/http/security"
@ -402,16 +401,6 @@ func (transport *Transport) restrictedResourceOperation(request *http.Request, r
 	}

 	if tokenData.Role != portainer.AdministratorRole {
-		rbacExtension, err := transport.dataStore.Extension().Extension(portainer.RBACExtension)
-		if err != nil && err != bolterrors.ErrObjectNotFound {
-			return nil, err
-		}
-
-		user, err := transport.dataStore.User().User(tokenData.ID)
-		if err != nil {
-			return nil, err
-		}
-
 		if volumeBrowseRestrictionCheck {
 			settings, err := transport.dataStore.Settings().Settings()
 			if err != nil {
@ -419,28 +408,10 @@ func (transport *Transport) restrictedResourceOperation(request *http.Request, r
 			}

 			if !settings.AllowVolumeBrowserForRegularUsers {
-				if rbacExtension == nil {
-					return responseutils.WriteAccessDeniedResponse()
-				}
-
-				// Return access denied for all roles except endpoint-administrator
-				_, userCanBrowse := user.EndpointAuthorizations[transport.endpoint.ID][portainer.OperationDockerAgentBrowseList]
-				if !userCanBrowse {
-					return responseutils.WriteAccessDeniedResponse()
-				}
+				return responseutils.WriteAccessDeniedResponse()
 			}
 		}

-		endpointResourceAccess := false
-		_, ok := user.EndpointAuthorizations[transport.endpoint.ID][portainer.EndpointResourcesAccess]
-		if ok {
-			endpointResourceAccess = true
-		}
-
-		if rbacExtension != nil && endpointResourceAccess {
-			return transport.executeDockerRequest(request)
-		}
-
 		teamMemberships, err := transport.dataStore.TeamMembership().TeamMembershipsByUserID(tokenData.ID)
 		if err != nil {
 			return nil, err
@ -713,25 +684,5 @@ func (transport *Transport) isAdminOrEndpointAdmin(request *http.Request) (bool,
 		return false, err
 	}

-	if tokenData.Role == portainer.AdministratorRole {
-		return true, nil
-	}
-
-	user, err := transport.dataStore.User().User(tokenData.ID)
-	if err != nil {
-		return false, err
-	}
-
-	rbacExtension, err := transport.dataStore.Extension().Extension(portainer.RBACExtension)
-	if err != nil && err != bolterrors.ErrObjectNotFound {
-		return false, err
-	}
-
-	if rbacExtension == nil {
-		return false, nil
-	}
-
-	_, endpointResourceAccess := user.EndpointAuthorizations[portainer.EndpointID(transport.endpoint.ID)][portainer.EndpointResourcesAccess]
-
-	return endpointResourceAccess, nil
+	return tokenData.Role == portainer.AdministratorRole, nil
 }
--- a/api/http/proxy/factory/factory.go
+++ b/api/http/proxy/factory/factory.go
@ -1,7 +1,6 @@
 package factory

 import (
-	"fmt"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
@ -16,12 +15,8 @@ import (

 const azureAPIBaseURL = "https://management.azure.com"

-var extensionPorts = map[portainer.ExtensionID]string{
-	portainer.RBACExtension: "7003",
-}
-
 type (
-	// ProxyFactory is a factory to create reverse proxies to Docker endpoints and extensions
+	// ProxyFactory is a factory to create reverse proxies
 	ProxyFactory struct {
 		dataStore                   portainer.DataStore
 		signatureService            portainer.DigitalSignatureService
@ -44,25 +39,6 @@ func NewProxyFactory(dataStore portainer.DataStore, signatureService portainer.D
 	}
 }

-// BuildExtensionURL returns the URL to an extension server
-func BuildExtensionURL(extensionID portainer.ExtensionID) string {
-	return fmt.Sprintf("http://%s:%s", portainer.ExtensionServer, extensionPorts[extensionID])
-}
-
-// NewExtensionProxy returns a new HTTP proxy to an extension server
-func (factory *ProxyFactory) NewExtensionProxy(extensionID portainer.ExtensionID) (http.Handler, error) {
-	address := "http://" + portainer.ExtensionServer + ":" + extensionPorts[extensionID]
-
-	extensionURL, err := url.Parse(address)
-	if err != nil {
-		return nil, err
-	}
-
-	extensionURL.Scheme = "http"
-	proxy := httputil.NewSingleHostReverseProxy(extensionURL)
-	return proxy, nil
-}
-
 // NewLegacyExtensionProxy returns a new HTTP proxy to a legacy extension server (Storidge)
 func (factory *ProxyFactory) NewLegacyExtensionProxy(extensionAPIURL string) (http.Handler, error) {
 	extensionURL, err := url.Parse(extensionAPIURL)
--- a/api/http/proxy/manager.go
+++ b/api/http/proxy/manager.go
@ -2,7 +2,6 @@ package proxy

 import (
 	"net/http"
-	"strconv"

 	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"

@ -21,7 +20,6 @@ type (
 	Manager struct {
 		proxyFactory           *factory.ProxyFactory
 		endpointProxies        cmap.ConcurrentMap
-		extensionProxies       cmap.ConcurrentMap
 		legacyExtensionProxies cmap.ConcurrentMap
 	}
 )
@ -30,7 +28,6 @@ type (
 func NewManager(dataStore portainer.DataStore, signatureService portainer.DigitalSignatureService, tunnelService portainer.ReverseTunnelService, clientFactory *docker.ClientFactory, kubernetesClientFactory *cli.ClientFactory, kubernetesTokenCacheManager *kubernetes.TokenCacheManager) *Manager {
 	return &Manager{
 		endpointProxies:        cmap.New(),
-		extensionProxies:       cmap.New(),
 		legacyExtensionProxies: cmap.New(),
 		proxyFactory:           factory.NewProxyFactory(dataStore, signatureService, tunnelService, clientFactory, kubernetesClientFactory, kubernetesTokenCacheManager),
 	}
@ -63,38 +60,6 @@ func (manager *Manager) DeleteEndpointProxy(endpoint *portainer.Endpoint) {
 	manager.endpointProxies.Remove(string(endpoint.ID))
 }

-// CreateExtensionProxy creates a new HTTP reverse proxy for an extension and
-// registers it in the extension map associated to the specified extension identifier
-func (manager *Manager) CreateExtensionProxy(extensionID portainer.ExtensionID) (http.Handler, error) {
-	proxy, err := manager.proxyFactory.NewExtensionProxy(extensionID)
-	if err != nil {
-		return nil, err
-	}
-
-	manager.extensionProxies.Set(strconv.Itoa(int(extensionID)), proxy)
-	return proxy, nil
-}
-
-// GetExtensionProxy returns an extension proxy associated to an extension identifier
-func (manager *Manager) GetExtensionProxy(extensionID portainer.ExtensionID) http.Handler {
-	proxy, ok := manager.extensionProxies.Get(strconv.Itoa(int(extensionID)))
-	if !ok {
-		return nil
-	}
-
-	return proxy.(http.Handler)
-}
-
-// GetExtensionURL retrieves the URL of an extension running locally based on the extension port table
-func (manager *Manager) GetExtensionURL(extensionID portainer.ExtensionID) string {
-	return factory.BuildExtensionURL(extensionID)
-}
-
-// DeleteExtensionProxy deletes the extension proxy associated to an extension identifier
-func (manager *Manager) DeleteExtensionProxy(extensionID portainer.ExtensionID) {
-	manager.extensionProxies.Remove(strconv.Itoa(int(extensionID)))
-}
-
 // CreateLegacyExtensionProxy creates a new HTTP reverse proxy for a legacy extension and adds it to the registered proxies
 func (manager *Manager) CreateLegacyExtensionProxy(key, extensionAPIURL string) (http.Handler, error) {
 	proxy, err := manager.proxyFactory.NewLegacyExtensionProxy(extensionAPIURL)