Merge branch 'bug25891@@2' into 'master'

gitlab · gitlab · commit 14d120ddfdad · 2020-03-12T16:15:59.000+08:00
[BugFix: ZSTACK-25891] Fix system role missing api permission

See merge request zstackio/zstack!5983
diff --git a/header/src/main/java/org/zstack/header/identity/rbac/RBAC.java b/header/src/main/java/org/zstack/header/identity/rbac/RBAC.java
@@ -56,6 +56,36 @@ public static void checkMissingRBACInfo() {
         }
     }
 
+    public static void checkMissingApiInRoles() {
+        PolicyMatcher matcher = new PolicyMatcher();
+
+        List<String> missing = new ArrayList<>();
+        APIMessage.apiMessageClasses.forEach(clz -> {
+            if (clz.isAnnotationPresent(Deprecated.class) || clz.isAnnotationPresent(SuppressCredentialCheck.class)) {
+                return;
+            }
+
+            boolean adminApi = permissions.stream()
+                    .anyMatch(p -> p.adminOnlyAPIs.stream().anyMatch(s -> matcher.match(s, clz.getName())));
+
+            if (adminApi) {
+                return;
+            }
+
+            boolean inlclude = roles.stream()
+                    .anyMatch(p -> p.getAllowedActions().stream().anyMatch(s -> matcher.match(s, clz.getName())) || p.getExcludedActions().stream().anyMatch(s -> matcher.match(s, clz.getName())));
+
+            if (!inlclude) {
+                missing.add(clz.getName());
+            }
+        });
+
+        Collections.sort(missing);
+        if (!missing.isEmpty()) {
+            throw new CloudRuntimeException(String.format("no RBACInfo.java describes below APIs:\n %s", StringUtils.join(missing, "\n")));
+        }
+    }
+
     public static class RoleBuilder {
         private Role role = new Role();
         private List<String> permissionsByNames = new ArrayList<>();
diff --git a/plugin/ceph/src/main/java/org/zstack/storage/ceph/RBACInfo.java b/plugin/ceph/src/main/java/org/zstack/storage/ceph/RBACInfo.java
@@ -14,7 +14,10 @@ public void permissions() {
 
     @Override
     public void contributeToRoles() {
-
+        roleContributorBuilder()
+                .roleName("image")
+                .actions(APIQueryCephBackupStorageMsg.class)
+                .build();
     }
 
     @Override
diff --git a/plugin/sftpBackupStorage/src/main/java/org/zstack/storage/backup/sftp/RBACInfo.java b/plugin/sftpBackupStorage/src/main/java/org/zstack/storage/backup/sftp/RBACInfo.java
@@ -6,14 +6,18 @@ public class RBACInfo implements RBACDescription {
     @Override
     public void permissions() {
         permissionBuilder()
+                .name("sftp")
                 .adminOnlyAPIs("org.zstack.storage.backup.sftp.**")
                 .normalAPIs(APIQuerySftpBackupStorageMsg.class)
                 .build();
     }
 
     @Override
     public void contributeToRoles() {
-
+        roleContributorBuilder()
+                .roleName("image")
+                .actionsByPermissionName("sftp")
+                .build();
     }
 
     @Override
