feat(api-server): support assigning multiple roles

core/api-server/methods/auth.go

@@ -115,25 +115,33 @@ func RedisAuthorization(username string, c *gin.Context) (models.UserAuthorizati
 		pathScan = "module/" + c.Param("module_id") + "/roles/"
 	}
 
-	// get roles of current user: HGET roles/<username>.<entity> -> <role>
-	role, errRedisRoleGet := redisConnection.HGet(ctx, "roles/"+username, pathGet).Result()
+	// get roles of current user: HGET roles/<username> -> <role(s)>
+	roles, errRedisRoleGet := redisConnection.HGet(ctx, "roles/"+username, pathGet).Result()
 
 	// handle redis error
 	if errRedisRoleGet != nil {
 		return userAuthorizationsRedis, errRedisRoleGet
 	}
 
-	// get action for current role and entity: SMEMBERS <entity>/<reference>/roles/<role>
-	actions, errRedisRoleScan := redisConnection.SMembers(ctx, pathScan+role).Result()
-
-	// handle redis error
-	if errRedisRoleScan != nil {
-		return userAuthorizationsRedis, errRedisRoleScan
+	// get actions for each role and entity: SMEMBERS <entity>/<reference>/roles/<role>
+	var actions []string
+	roleList := strings.Split(roles, ",")
+	for _, r := range roleList {
+		r = strings.TrimSpace(r)
+		if r == "" {
+			continue
+		}
+		a, errRedisRoleScan := redisConnection.SMembers(ctx, pathScan+r).Result()
+		if errRedisRoleScan != nil {
+			return userAuthorizationsRedis, errRedisRoleScan
+		}
+		// duplicated values are allowed, since Authorizator checks only existence
+		actions = append(actions, a...)
 	}
 
 	// compose user authorizations
 	userAuthorizationsRedis.Username = username
-	userAuthorizationsRedis.Role = role
+	userAuthorizationsRedis.Role = roles  // keep original string of raw role list
 	userAuthorizationsRedis.Actions = actions
 
 	// close redis connection

core/imageroot/usr/local/agent/pypkg/cluster/grants.py

@@ -84,19 +84,29 @@ def alter_user(rdb, user, revoke, role, on_clause):
     """
     Grant/Revoke the ROLE ON some module to USER
 
-    The module can be cluster, node/X, module/modY etc.
-    The ROLE must be already defined in the given module.
+    The module matcher, specified by ON_CLAUSE, can be cluster, node/X,
+    module/modY etc. Wildcard match is allowed.
+
+    ROLE is a comma-separated list of role names without spaces. Each role
+    name must be already defined in the matching module(s).
     """
 
+    targets = set()
+    for xrole in role.split(","):
+        # Make sure there is no white space around the role name:
+        xrole = xrole.strip()
+        if not xrole:
+            continue
+        for key in rdb.scan_iter(f'{on_clause}/roles/{xrole}'):
+            agent_id = key.removesuffix(f'/roles/{xrole}')
+            targets.add(agent_id)
+
     pipe = rdb.pipeline()
-    for key in rdb.scan_iter(f'{on_clause}/roles/{role}'):
-        pos = key.find(f'/roles/{role}')
-        agent_id = key[:pos]
+    for agent_id in targets:
         if revoke:
-            pipe.hdel(f'roles/{user}', agent_id, role)
+            pipe.hdel(f'roles/{user}', agent_id)
         else:
             pipe.hset(f'roles/{user}', agent_id, role)
-
     pipe.execute()
 
 def refresh_permissions(rdb):
@@ -110,7 +120,8 @@ def refresh_permissions(rdb):
 def add_module_permissions(rdb, module_id, authorizations, node_id):
     """Parse authorizations and grant permissions to module_id"""
     for authz in authorizations:
-        xagent, xrole = authz.split(':') # e.g. traefik@node:routeadm
+        # authz examples: "traefik@node:routeadm", "node:fwadm,portsadm"
+        xagent, xrole = authz.split(':')
 
         if xagent.endswith("@any"):
             agent_selector = 'module/' + xagent.removesuffix("@any") + '*' # wildcard allowed in on_clause
@@ -119,6 +130,10 @@ def add_module_permissions(rdb, module_id, authorizations, node_id):
         else:
             agent_selector = agent.resolve_agent_id(xagent, node_id=node_id)
 
+        # If the agent_selector resolves multiple times to the same value,
+        # the last alter_user() call wins: roles are not accumulated or
+        # merged across calls. Still it is allowed to pass a
+        # comma-separated list of roles as xrole value.
         alter_user(rdb,
             user=f'module/{module_id}',
             revoke=False,

core/imageroot/var/lib/nethserver/cluster/actions/add-node/50update

@@ -186,32 +186,16 @@ cluster.grants.grant(rdb, "add-custom-zone",  f'node/{node_id}', "fwadm")
 cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "fwadm")
 cluster.grants.grant(rdb, "add-rich-rules",  f'node/{node_id}', "fwadm")
 cluster.grants.grant(rdb, "remove-rich-rules", f'node/{node_id}', "fwadm")
-
+cluster.grants.grant(rdb, "add-tun",  f'node/{node_id}', "tunadm")
+cluster.grants.grant(rdb, "remove-tun", f'node/{node_id}', "tunadm")
 cluster.grants.grant(rdb, "add-public-service",  f'node/{node_id}', "tunadm")
 cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "tunadm")
 cluster.grants.grant(rdb, "add-custom-zone",  f'node/{node_id}', "tunadm")
 cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "tunadm")
-cluster.grants.grant(rdb, "add-tun",  f'node/{node_id}', "tunadm")
-cluster.grants.grant(rdb, "remove-tun", f'node/{node_id}', "tunadm")
-
+cluster.grants.grant(rdb, "add-rich-rules",  f'node/{node_id}', "tunadm")
+cluster.grants.grant(rdb, "remove-rich-rules", f'node/{node_id}', "tunadm")
 cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "portsadm")
 cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "portsadm")
-cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "add-public-service", f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "add-custom-zone", f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "add-rich-rules",  f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "remove-rich-rules", f'node/{node_id}', "fwadm,portsadm")
-cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "tunadm,portsadm")
-cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "tunadm,portsadm")
-cluster.grants.grant(rdb, "add-tun", f'node/{node_id}', "tunadm,portsadm")
-cluster.grants.grant(rdb, "remove-tun", f'node/{node_id}', "tunadm,portsadm")
-cluster.grants.grant(rdb, "add-public-service", f'node/{node_id}', "tunadm,portsadm")
-cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "tunadm,portsadm")
-cluster.grants.grant(rdb, "add-custom-zone", f'node/{node_id}', "tunadm,portsadm")
-cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "tunadm,portsadm")
 
 # Grant on cascade the owner role on the new node, to users with the owner
 # role on cluster

core/imageroot/var/lib/nethserver/cluster/update-core-pre-modules.d/50update_grants

@@ -19,26 +19,20 @@ cluster.grants.grant(rdb, action_clause="bind-user-domains",  to_clause="account
 cluster.grants.grant(rdb, action_clause="bind-user-domains",  to_clause="accountprovider", on_clause='cluster')
 cluster.grants.grant(rdb, action_clause="list-modules",  to_clause="accountprovider", on_clause='cluster')
 
-#
-# Reuse and reallocate TCP/UDP port range #6974
-#
 for node_id in set(rdb.hvals('cluster/module_node')):
+    # Reuse and reallocate TCP/UDP port range #6974:
     cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "portsadm")
     cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "portsadm")
-    cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "fwadm,portsadm")
-    cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "fwadm,portsadm")
-    cluster.grants.grant(rdb, "add-public-service", f'node/{node_id}', "fwadm,portsadm")
-    cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "fwadm,portsadm")
-    cluster.grants.grant(rdb, "add-custom-zone", f'node/{node_id}', "fwadm,portsadm")
-    cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "fwadm,portsadm")
-    cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "tunadm,portsadm")
-    cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "tunadm,portsadm")
-    cluster.grants.grant(rdb, "add-tun", f'node/{node_id}', "tunadm,portsadm")
-    cluster.grants.grant(rdb, "remove-tun", f'node/{node_id}', "tunadm,portsadm")
-    cluster.grants.grant(rdb, "add-public-service", f'node/{node_id}', "tunadm,portsadm")
-    cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "tunadm,portsadm")
-    cluster.grants.grant(rdb, "add-custom-zone", f'node/{node_id}', "tunadm,portsadm")
-    cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "tunadm,portsadm")
+    # Fix rich rules management #7836:
+    cluster.grants.grant(rdb, "add-rich-rules",  f'node/{node_id}', "fwadm")
+    cluster.grants.grant(rdb, "remove-rich-rules", f'node/{node_id}', "fwadm")
+    cluster.grants.grant(rdb, "add-rich-rules",  f'node/{node_id}', "tunadm")
+    cluster.grants.grant(rdb, "remove-rich-rules", f'node/{node_id}', "tunadm")
+    rdb.delete(
+        f'node/{node_id}/roles/fwadm,portsadm',
+        f'node/{node_id}/roles/tunadm,portsadm',
+    )
+
 #
 # END of grant updates
 #

core/imageroot/var/lib/nethserver/node/install-finalize.sh

@@ -121,33 +121,18 @@ cluster.grants.grant(rdb, action_clause="add-public-service",  to_clause="fwadm"
 cluster.grants.grant(rdb, action_clause="remove-public-service",  to_clause="fwadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="add-custom-zone",  to_clause="fwadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="remove-custom-zone",  to_clause="fwadm", on_clause='node/1')
-
+cluster.grants.grant(rdb, action_clause="add-rich-rules", to_clause="fwadm", on_clause='node/1')
+cluster.grants.grant(rdb, action_clause="remove-rich-rules", to_clause="fwadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="add-tun",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="remove-tun",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="add-public-service",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="remove-public-service",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="add-custom-zone",  to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="remove-custom-zone",  to_clause="tunadm", on_clause='node/1')
-
+cluster.grants.grant(rdb, action_clause="add-rich-rules", to_clause="tunadm", on_clause='node/1')
+cluster.grants.grant(rdb, action_clause="remove-rich-rules", to_clause="tunadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="allocate-ports",  to_clause="portsadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="deallocate-ports",  to_clause="portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="allocate-ports",  to_clause="fwadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="deallocate-ports",  to_clause="fwadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="add-public-service",  to_clause="fwadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="remove-public-service",  to_clause="fwadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="add-custom-zone",  to_clause="fwadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="remove-custom-zone",  to_clause="fwadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="allocate-ports",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="deallocate-ports",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="add-tun",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="remove-tun",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="add-public-service",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="remove-public-service",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="add-custom-zone",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="remove-custom-zone",  to_clause="tunadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="add-rich-rules",  to_clause="fwadm,portsadm", on_clause='node/1')
-cluster.grants.grant(rdb, action_clause="remove-rich-rules",  to_clause="fwadm,portsadm", on_clause='node/1')
-
 cluster.grants.grant(rdb, action_clause="update-routes", to_clause="accountprovider", on_clause='cluster')
 cluster.grants.grant(rdb, action_clause="bind-user-domains",  to_clause="accountconsumer", on_clause='cluster')
 cluster.grants.grant(rdb, action_clause="bind-user-domains",  to_clause="accountprovider", on_clause='cluster')

docs/core/tun.md

@@ -18,7 +18,8 @@ be authorized to use it, by adding `node:tunadm` to the module image label
 
        org.nethserver.authorizations=node:tunadm
 
-Please note that the _tunadm_ authorization includes also the [_fwadm_](../firewall) one.
+Please note that for backward compatibility with core 3.16 the _tunadm_
+authorization includes also the [_fwadm_](../firewall) one.
 
 Then the module actions must use the `agent`
 Python package to add/remove the tun device needed by the

docs/modules/port_allocation.md

@@ -40,9 +40,6 @@ with other existing node-related roles:
 - `org.nethserver.authorizations = node:fwadm,portsadm`
 - `org.nethserver.authorizations = node:tunadm,portsadm`
 
-Note that the value must be exactly one of the above. Other combinations
-like `node:portsadm,fwadm` are not valid.
-
 The module will be granted execution permissions for the following actions
 on the local node:
 - `allocate-ports`