feat: multi-role grants for nodes

DavidePrincipi · DavidePrincipi · commit f58e302e7233 · 2026-01-28T15:57:30.000+01:00
Authorization of node actions is splitted in three roles:

- fwadm
- portsadm
- tunadm

Implement multiple role assignments for a single agent. With this new
feature, a module like nethvoice-proxy can be granted both fwadm and
portsadm role on the same node, eliminating the hack that define fake
role names like "fwadm,portsadm".

The comma in role names is now considered a split point by api-server to
authorize the requested action.
diff --git a/core/imageroot/var/lib/nethserver/cluster/actions/add-node/50update b/core/imageroot/var/lib/nethserver/cluster/actions/add-node/50update
@@ -186,32 +186,10 @@ cluster.grants.grant(rdb, "add-custom-zone",  f'node/{node_id}', "fwadm")
 cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "fwadm")
 cluster.grants.grant(rdb, "add-rich-rules",  f'node/{node_id}', "fwadm")
 cluster.grants.grant(rdb, "remove-rich-rules", f'node/{node_id}', "fwadm")
-
-cluster.grants.grant(rdb, "add-public-service",  f'node/{node_id}', "tunadm")
-cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "tunadm")
-cluster.grants.grant(rdb, "add-custom-zone",  f'node/{node_id}', "tunadm")
-cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "tunadm")
 cluster.grants.grant(rdb, "add-tun",  f'node/{node_id}', "tunadm")
 cluster.grants.grant(rdb, "remove-tun", f'node/{node_id}', "tunadm")
-
 cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "portsadm")
 cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "portsadm")
-cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "add-public-service", f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "add-custom-zone", f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "add-rich-rules",  f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "remove-rich-rules", f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "tunadm,portsadm")
-cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "tunadm,portsadm")
-cluster.grants.grant(rdb, "add-tun", f'node/{node_id}', "tunadm,portsadm")
-cluster.grants.grant(rdb, "remove-tun", f'node/{node_id}', "tunadm,portsadm")
-cluster.grants.grant(rdb, "add-public-service", f'node/{node_id}', "tunadm,portsadm")
-cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "tunadm,portsadm")
-cluster.grants.grant(rdb, "add-custom-zone", f'node/{node_id}', "tunadm,portsadm")
-cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "tunadm,portsadm")
 
 # Grant on cascade the owner role on the new node, to users with the owner
 # role on cluster
diff --git a/core/imageroot/var/lib/nethserver/cluster/update-core-pre-modules.d/50update_grants b/core/imageroot/var/lib/nethserver/cluster/update-core-pre-modules.d/50update_grants
@@ -21,24 +21,18 @@ cluster.grants.grant(rdb, action_clause="list-modules",  to_clause="accountprovi
 
 #
 # Reuse and reallocate TCP/UDP port range #6974
+# Fix rich rules management #7836
 #
 for node_id in set(rdb.hvals('cluster/module_node')):
     cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "portsadm")
     cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "portsadm")
-    cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "fwadm,portsadm")
-    cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "fwadm,portsadm")
-    cluster.grants.grant(rdb, "add-public-service", f'node/{node_id}', "fwadm,portsadm")
-    cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "fwadm,portsadm")
-    cluster.grants.grant(rdb, "add-custom-zone", f'node/{node_id}', "fwadm,portsadm")
-    cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "fwadm,portsadm")
-    cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "tunadm,portsadm")
-    cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "tunadm,portsadm")
-    cluster.grants.grant(rdb, "add-tun", f'node/{node_id}', "tunadm,portsadm")
-    cluster.grants.grant(rdb, "remove-tun", f'node/{node_id}', "tunadm,portsadm")
-    cluster.grants.grant(rdb, "add-public-service", f'node/{node_id}', "tunadm,portsadm")
-    cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "tunadm,portsadm")
-    cluster.grants.grant(rdb, "add-custom-zone", f'node/{node_id}', "tunadm,portsadm")
-    cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "tunadm,portsadm")
+    cluster.grants.grant(rdb, "add-rich-rules",  f'node/{node_id}', "fwadm")
+    cluster.grants.grant(rdb, "remove-rich-rules", f'node/{node_id}', "fwadm")
+    rdb.delete(
+        f'node/{node_id}/roles/fwadm,portsadm',
+        f'node/{node_id}/roles/tunadm,portsadm',
+    )
+
 #
 # END of grant updates
 #
diff --git a/core/imageroot/var/lib/nethserver/node/install-finalize.sh b/core/imageroot/var/lib/nethserver/node/install-finalize.sh
@@ -121,33 +121,16 @@ cluster.grants.grant(rdb, action_clause="add-public-service",  to_clause="fwadm"
 cluster.grants.grant(rdb, action_clause="remove-public-service",  to_clause="fwadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="add-custom-zone",  to_clause="fwadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="remove-custom-zone",  to_clause="fwadm", on_clause='node/1')
-
+cluster.grants.grant(rdb, action_clause="add-rich-rules", to_clause="fwadm", on_clause=f'node/1')
+cluster.grants.grant(rdb, action_clause="remove-rich-rules", to_clause="fwadm", on_clause=f'node/1')
 cluster.grants.grant(rdb, action_clause="add-tun",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="remove-tun",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="add-public-service",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="remove-public-service",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="add-custom-zone",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="remove-custom-zone",  to_clause="tunadm", on_clause='node/1')
-
 cluster.grants.grant(rdb, action_clause="allocate-ports",  to_clause="portsadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="deallocate-ports",  to_clause="portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="allocate-ports",  to_clause="fwadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="deallocate-ports",  to_clause="fwadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="add-public-service",  to_clause="fwadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="remove-public-service",  to_clause="fwadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="add-custom-zone",  to_clause="fwadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="remove-custom-zone",  to_clause="fwadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="allocate-ports",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="deallocate-ports",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="add-tun",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="remove-tun",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="add-public-service",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="remove-public-service",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="add-custom-zone",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="remove-custom-zone",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="add-rich-rules",  to_clause="fwadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="remove-rich-rules",  to_clause="fwadm,portsadm", on_clause='node/1')
-
 cluster.grants.grant(rdb, action_clause="update-routes", to_clause="accountprovider", on_clause='cluster')
 cluster.grants.grant(rdb, action_clause="bind-user-domains",  to_clause="accountconsumer", on_clause='cluster')
 cluster.grants.grant(rdb, action_clause="bind-user-domains",  to_clause="accountprovider", on_clause='cluster')
diff --git a/docs/modules/port_allocation.md b/docs/modules/port_allocation.md
@@ -40,9 +40,6 @@ with other existing node-related roles:
 - `org.nethserver.authorizations = node:fwadm,portsadm`
 - `org.nethserver.authorizations = node:tunadm,portsadm`
 
-Note that the value must be exactly one of the above. Other combinations
-like `node:portsadm,fwadm` are not valid.
-
 The module will be granted execution permissions for the following actions
 on the local node:
 - `allocate-ports`
