Allow to have 2 roles one for Readonly and one for execution

Question

Allow to have 2 roles one for Readonly and one for execution

bhugot opened this issue 2 years ago · comments

Hello, but i missed it, there is no way to handle the readonly and non readonly mode by different Group. It would be cool to be able to display orchestration to some users with others that could execute command on them.

Konstantin Lepeshenkov · Answer 1 · Fri Jul 08 2022 22:25:29 GMT+0800 (China Standard Time)

Thanks @bhugot , this indeed sounds like a useful feature to be added.

Until then, as a workaround, you can run two separate DfMon instances (readonly and non-readonly), with relevant DFM_ALLOWED_APP_ROLES settings.

Konstantin Lepeshenkov · Answer 2 · Fri Jul 22 2022 01:14:30 GMT+0800 (China Standard Time)

Here is the suggested way of implementing it:

Create a new DFM_ALLOWED_READ_ONLY_APP_ROLES config setting, with similar semantics (a set of comma-separated role names).
Generally make DFM_ALLOWED_APP_ROLES and DFM_ALLOWED_READ_ONLY_APP_ROLES act as a UNION. That is, a user should generally be allowed, if they have EITHER one role type OR another. The code that validates roles is here, just need to make it check this new setting in addition to older one.
Implement a new ThrowIfInReadOnlyMode() method in Auth.cs. As the name suggests, it should check if we're currently in the ReadOnly mode. We're currently in ReadOnly mode when:

EITHER
DfmEndpoint.Settings.Mode == DfmMode.ReadOnly
OR
the current user has one of DFM_ALLOWED_READ_ONLY_APP_ROLES

Once in ReadOnly mode, the method should throw an AccessViolationException with proper text description. Otherwise do nothing.
Add exception handling logic for AccessViolationException into here. Similarly to existing handlers, the HandleErrors() method should log the exception and then return new StatusCodeResult(403);
Replace all checks like DfmEndpoint.Settings.Mode == DfmMode.ReadOnly with a simple call to this new Auth.ThrowIfInReadOnlyMode() method.
Write unit tests as appropriate.
(Ideally) Propagate the DfmEndpoint.Settings.Mode value to the client via /About method (this method is a good candidate for this extra functionality, because it is the first authenticated method being called by the client) and then disable all relevant actions/buttons if it is equal to DfmMode.ReadOnly.

Konstantin Lepeshenkov · Answer 3 · Thu Nov 24 2022 00:07:25 GMT+0800 (China Standard Time)

Implemented in v6.0.
@bhugot , please, validate.

Benjamin Hugot · Answer 4 · Thu Nov 24 2022 06:05:40 GMT+0800 (China Standard Time)

Thx @scale-tone will try it soon