-
Notifications
You must be signed in to change notification settings - Fork 492
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Lock out plugins when in GPOS STIG mode
Certain TrueNAS features are incompatibile with requirements for the GPOS STIG. This commit makes changes to our RBAC framework to decrease effective privileges granted to all credentials to prevent configuring non-compliant services and to give UI hints about which features to disable. As a result of these changes, the allowlist column is dropped from the privilege table. Internally our credentials still generate an allowlist in order to perform RBAC checks. The allowlist changes have a functional impact on privilege framework regarding REST API access. After these changes, only credentials with FULL_ADMIN privilege will be allowed REST access and only when server does not have STIG rules applied.
- Loading branch information
Showing
35 changed files
with
311 additions
and
159 deletions.
There are no files selected for viewing
32 changes: 32 additions & 0 deletions
32
...lewared/middlewared/alembic/versions/25.04/2024-12-11_20-52_remove-privilege-allowlist.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
""" Remove privilege allowlist | ||
Revision ID: aea6bced4328 | ||
Revises: b44c092bfa30 | ||
Create Date: 2024-12-11 20:52:26.972597+00:00 | ||
""" | ||
from alembic import op | ||
import sqlalchemy as sa | ||
|
||
|
||
# revision identifiers, used by Alembic. | ||
revision = 'aea6bced4328' | ||
down_revision = 'b44c092bfa30' | ||
branch_labels = None | ||
depends_on = None | ||
|
||
def upgrade(): | ||
# ### commands auto generated by Alembic - please adjust! ### | ||
op.execute("UPDATE account_privilege SET roles='[\"FULL_ADMIN\"]' WHERE allowlist='[{\"method\": \"*\", \"resource\": \"*\"}]'") | ||
with op.batch_alter_table('account_privilege', schema=None) as batch_op: | ||
batch_op.drop_column('allowlist') | ||
|
||
# ### end Alembic commands ### | ||
|
||
|
||
def downgrade(): | ||
# ### commands auto generated by Alembic - please adjust! ### | ||
with op.batch_alter_table('account_privilege', schema=None) as batch_op: | ||
batch_op.add_column(sa.Column('allowlist', sa.TEXT(), nullable=False)) | ||
|
||
# ### end Alembic commands ### |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.