fixup! feat: multi-role grants for nodes

[skip ci]

Author: DavidePrincipi

core/imageroot/usr/local/agent/pypkg/cluster/grants.py

@@ -84,19 +84,29 @@ def alter_user(rdb, user, revoke, role, on_clause):
     """
     Grant/Revoke the ROLE ON some module to USER
 
-    The module can be cluster, node/X, module/modY etc.
-    The ROLE must be already defined in the given module.
+    The module matcher, specified by ON_CLAUSE, can be cluster, node/X,
+    module/modY etc. Wildcard match is allowed.
+
+    ROLE is a comma-separated list of role names without spaces. Each role
+    name must be already defined in the matching module(s).
     """
 
+    targets = set()
+    for xrole in role.split(","):
+        # Make sure there is no white space around the role name:
+        xrole = xrole.strip()
+        if not xrole:
+            continue
+        for key in rdb.scan_iter(f'{on_clause}/roles/{xrole}'):
+            agent_id = key.removesuffix(f'/roles/{xrole}')
+            targets.add(agent_id)
+
     pipe = rdb.pipeline()
-    for key in rdb.scan_iter(f'{on_clause}/roles/{role}'):
-        pos = key.find(f'/roles/{role}')
-        agent_id = key[:pos]
+    for agent_id in targets:
         if revoke:
-            pipe.hdel(f'roles/{user}', agent_id, role)
+            pipe.hdel(f'roles/{user}', agent_id)
         else:
             pipe.hset(f'roles/{user}', agent_id, role)
-
     pipe.execute()
 
 def refresh_permissions(rdb):
@@ -110,7 +120,8 @@ def refresh_permissions(rdb):
 def add_module_permissions(rdb, module_id, authorizations, node_id):
     """Parse authorizations and grant permissions to module_id"""
     for authz in authorizations:
-        xagent, xrole = authz.split(':') # e.g. traefik@node:routeadm
+        # authz examples: "traefik@node:routeadm", "node:fwadm,portsadm"
+        xagent, xrole = authz.split(':')
 
         if xagent.endswith("@any"):
             agent_selector = 'module/' + xagent.removesuffix("@any") + '*' # wildcard allowed in on_clause
@@ -119,6 +130,10 @@ def add_module_permissions(rdb, module_id, authorizations, node_id):
         else:
             agent_selector = agent.resolve_agent_id(xagent, node_id=node_id)
 
+        # If the agent_selector resolves multiple times to the same value,
+        # the last alter_user() call wins: roles are not accumulated or
+        # merged across calls. Still it is allowed to pass a
+        # comma-separated list of roles as xrole value.
         alter_user(rdb,
             user=f'module/{module_id}',
             revoke=False,

core/imageroot/var/lib/nethserver/cluster/actions/add-node/50update

@@ -188,6 +188,12 @@ cluster.grants.grant(rdb, "add-rich-rules",  f'node/{node_id}', "fwadm")
 cluster.grants.grant(rdb, "remove-rich-rules", f'node/{node_id}', "fwadm")
 cluster.grants.grant(rdb, "add-tun",  f'node/{node_id}', "tunadm")
 cluster.grants.grant(rdb, "remove-tun", f'node/{node_id}', "tunadm")
+cluster.grants.grant(rdb, "add-public-service",  f'node/{node_id}', "tunadm")
+cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "tunadm")
+cluster.grants.grant(rdb, "add-custom-zone",  f'node/{node_id}', "tunadm")
+cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "tunadm")
+cluster.grants.grant(rdb, "add-rich-rules",  f'node/{node_id}', "tunadm")
+cluster.grants.grant(rdb, "remove-rich-rules", f'node/{node_id}', "tunadm")
 cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "portsadm")
 cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "portsadm")
 

core/imageroot/var/lib/nethserver/cluster/update-core-pre-modules.d/50update_grants

@@ -19,15 +19,15 @@ cluster.grants.grant(rdb, action_clause="bind-user-domains",  to_clause="account
 cluster.grants.grant(rdb, action_clause="bind-user-domains",  to_clause="accountprovider", on_clause='cluster')
 cluster.grants.grant(rdb, action_clause="list-modules",  to_clause="accountprovider", on_clause='cluster')
 
-#
-# Reuse and reallocate TCP/UDP port range #6974
-# Fix rich rules management #7836
-#
 for node_id in set(rdb.hvals('cluster/module_node')):
+    # Reuse and reallocate TCP/UDP port range #6974:
     cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "portsadm")
     cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "portsadm")
+    # Fix rich rules management #7836:
     cluster.grants.grant(rdb, "add-rich-rules",  f'node/{node_id}', "fwadm")
     cluster.grants.grant(rdb, "remove-rich-rules", f'node/{node_id}', "fwadm")
+    cluster.grants.grant(rdb, "add-rich-rules",  f'node/{node_id}', "tunadm")
+    cluster.grants.grant(rdb, "remove-rich-rules", f'node/{node_id}', "tunadm")
     rdb.delete(
         f'node/{node_id}/roles/fwadm,portsadm',
         f'node/{node_id}/roles/tunadm,portsadm',

core/imageroot/var/lib/nethserver/node/install-finalize.sh

@@ -121,14 +121,16 @@ cluster.grants.grant(rdb, action_clause="add-public-service",  to_clause="fwadm"
 cluster.grants.grant(rdb, action_clause="remove-public-service",  to_clause="fwadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="add-custom-zone",  to_clause="fwadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="remove-custom-zone",  to_clause="fwadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="add-rich-rules", to_clause="fwadm", on_clause=f'node/1')
-cluster.grants.grant(rdb, action_clause="remove-rich-rules", to_clause="fwadm", on_clause=f'node/1')
+cluster.grants.grant(rdb, action_clause="add-rich-rules", to_clause="fwadm", on_clause='node/1')
+cluster.grants.grant(rdb, action_clause="remove-rich-rules", to_clause="fwadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="add-tun",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="remove-tun",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="add-public-service",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="remove-public-service",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="add-custom-zone",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="remove-custom-zone",  to_clause="tunadm", on_clause='node/1')
+cluster.grants.grant(rdb, action_clause="add-rich-rules", to_clause="tunadm", on_clause='node/1')
+cluster.grants.grant(rdb, action_clause="remove-rich-rules", to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="allocate-ports",  to_clause="portsadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="deallocate-ports",  to_clause="portsadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="update-routes", to_clause="accountprovider", on_clause='cluster')

docs/core/tun.md

@@ -18,7 +18,8 @@ be authorized to use it, by adding `node:tunadm` to the module image label
 
        org.nethserver.authorizations=node:tunadm
 
-Please note that the _tunadm_ authorization includes also the [_fwadm_](../firewall) one.
+Please note that for backward compatibility with core 3.16 the _tunadm_
+authorization includes also the [_fwadm_](../firewall) one.
 
 Then the module actions must use the `agent`
 Python package to add/remove the tun device needed by the