diff --git a/api/http/handler/settings/settings_public.go b/api/http/handler/settings/settings_public.go index e70125afe..0f207b240 100644 --- a/api/http/handler/settings/settings_public.go +++ b/api/http/handler/settings/settings_public.go @@ -10,15 +10,16 @@ import ( ) type publicSettingsResponse struct { - LogoURL string `json:"LogoURL"` - AuthenticationMethod portainer.AuthenticationMethod `json:"AuthenticationMethod"` - AllowBindMountsForRegularUsers bool `json:"AllowBindMountsForRegularUsers"` - AllowPrivilegedModeForRegularUsers bool `json:"AllowPrivilegedModeForRegularUsers"` - AllowVolumeBrowserForRegularUsers bool `json:"AllowVolumeBrowserForRegularUsers"` - EnableHostManagementFeatures bool `json:"EnableHostManagementFeatures"` - EnableEdgeComputeFeatures bool `json:"EnableEdgeComputeFeatures"` - ExternalTemplates bool `json:"ExternalTemplates"` - OAuthLoginURI string `json:"OAuthLoginURI"` + LogoURL string `json:"LogoURL"` + AuthenticationMethod portainer.AuthenticationMethod `json:"AuthenticationMethod"` + AllowBindMountsForRegularUsers bool `json:"AllowBindMountsForRegularUsers"` + AllowPrivilegedModeForRegularUsers bool `json:"AllowPrivilegedModeForRegularUsers"` + AllowVolumeBrowserForRegularUsers bool `json:"AllowVolumeBrowserForRegularUsers"` + EnableHostManagementFeatures bool `json:"EnableHostManagementFeatures"` + EnableEdgeComputeFeatures bool `json:"EnableEdgeComputeFeatures"` + ExternalTemplates bool `json:"ExternalTemplates"` + OAuthLoginURI string `json:"OAuthLoginURI"` + DisableStackManagementForRegularUsers bool `json:"DisableStackManagementForRegularUsers"` } // GET request on /api/settings/public @@ -42,6 +43,7 @@ func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) * settings.OAuthSettings.ClientID, settings.OAuthSettings.RedirectURI, settings.OAuthSettings.Scopes), + DisableStackManagementForRegularUsers: settings.DisableStackManagementForRegularUsers, } if settings.TemplatesURL != "" { diff --git a/api/http/handler/settings/settings_update.go b/api/http/handler/settings/settings_update.go index cef3bdf0f..242a115c3 100644 --- a/api/http/handler/settings/settings_update.go +++ b/api/http/handler/settings/settings_update.go @@ -12,19 +12,20 @@ import ( ) type settingsUpdatePayload struct { - LogoURL *string - BlackListedLabels []portainer.Pair - AuthenticationMethod *int - LDAPSettings *portainer.LDAPSettings - OAuthSettings *portainer.OAuthSettings - AllowBindMountsForRegularUsers *bool - AllowPrivilegedModeForRegularUsers *bool - AllowVolumeBrowserForRegularUsers *bool - EnableHostManagementFeatures *bool - SnapshotInterval *string - TemplatesURL *string - EdgeAgentCheckinInterval *int - EnableEdgeComputeFeatures *bool + LogoURL *string + BlackListedLabels []portainer.Pair + AuthenticationMethod *int + LDAPSettings *portainer.LDAPSettings + OAuthSettings *portainer.OAuthSettings + AllowBindMountsForRegularUsers *bool + AllowPrivilegedModeForRegularUsers *bool + AllowVolumeBrowserForRegularUsers *bool + EnableHostManagementFeatures *bool + SnapshotInterval *string + TemplatesURL *string + EdgeAgentCheckinInterval *int + EnableEdgeComputeFeatures *bool + DisableStackManagementForRegularUsers *bool } func (payload *settingsUpdatePayload) Validate(r *http.Request) error { @@ -114,6 +115,10 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) * settings.EnableEdgeComputeFeatures = *payload.EnableEdgeComputeFeatures } + if payload.DisableStackManagementForRegularUsers != nil { + settings.DisableStackManagementForRegularUsers = *payload.DisableStackManagementForRegularUsers + } + if payload.SnapshotInterval != nil && *payload.SnapshotInterval != settings.SnapshotInterval { err := handler.updateSnapshotInterval(settings, *payload.SnapshotInterval) if err != nil { diff --git a/api/http/handler/stacks/handler.go b/api/http/handler/stacks/handler.go index d0a6b4ea5..e9c6c241c 100644 --- a/api/http/handler/stacks/handler.go +++ b/api/http/handler/stacks/handler.go @@ -87,3 +87,27 @@ func (handler *Handler) userCanAccessStack(securityContext *security.RestrictedR } return false, nil } + +func (handler *Handler) userCanCreateStack(securityContext *security.RestrictedRequestContext, endpointID portainer.EndpointID) (bool, error) { + if securityContext.IsAdmin { + return true, nil + } + + _, err := handler.ExtensionService.Extension(portainer.RBACExtension) + if err == portainer.ErrObjectNotFound { + return false, nil + } else if err != nil && err != portainer.ErrObjectNotFound { + return false, err + } + + user, err := handler.UserService.User(securityContext.UserID) + if err != nil { + return false, err + } + + _, ok := user.EndpointAuthorizations[endpointID][portainer.EndpointResourcesAccess] + if ok { + return true, nil + } + return false, nil +} diff --git a/api/http/handler/stacks/stack_create.go b/api/http/handler/stacks/stack_create.go index 43831a200..229b3fce9 100644 --- a/api/http/handler/stacks/stack_create.go +++ b/api/http/handler/stacks/stack_create.go @@ -43,6 +43,29 @@ func (handler *Handler) stackCreate(w http.ResponseWriter, r *http.Request) *htt return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: endpointId", err} } + settings, err := handler.SettingsService.Settings() + if err != nil { + return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err} + } + + if settings.DisableStackManagementForRegularUsers { + securityContext, err := security.RetrieveRestrictedRequestContext(r) + if err != nil { + return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user info from request context", err} + } + + canCreate, err := handler.userCanCreateStack(securityContext, portainer.EndpointID(endpointID)) + + if err != nil { + return &httperror.HandlerError{http.StatusInternalServerError, "Unable to verify user authorizations to validate stack creation", err} + } + + if !canCreate { + errMsg := "Stack creation is disabled for non-admin users" + return &httperror.HandlerError{http.StatusForbidden, errMsg, errors.New(errMsg)} + } + } + endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID)) if err == portainer.ErrObjectNotFound { return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err} diff --git a/api/portainer.go b/api/portainer.go index 22806c191..471c22928 100644 --- a/api/portainer.go +++ b/api/portainer.go @@ -420,19 +420,20 @@ type ( // Settings represents the application settings Settings struct { - LogoURL string `json:"LogoURL"` - BlackListedLabels []Pair `json:"BlackListedLabels"` - AuthenticationMethod AuthenticationMethod `json:"AuthenticationMethod"` - LDAPSettings LDAPSettings `json:"LDAPSettings"` - OAuthSettings OAuthSettings `json:"OAuthSettings"` - AllowBindMountsForRegularUsers bool `json:"AllowBindMountsForRegularUsers"` - AllowPrivilegedModeForRegularUsers bool `json:"AllowPrivilegedModeForRegularUsers"` - AllowVolumeBrowserForRegularUsers bool `json:"AllowVolumeBrowserForRegularUsers"` - SnapshotInterval string `json:"SnapshotInterval"` - TemplatesURL string `json:"TemplatesURL"` - EnableHostManagementFeatures bool `json:"EnableHostManagementFeatures"` - EdgeAgentCheckinInterval int `json:"EdgeAgentCheckinInterval"` - EnableEdgeComputeFeatures bool `json:"EnableEdgeComputeFeatures"` + LogoURL string `json:"LogoURL"` + BlackListedLabels []Pair `json:"BlackListedLabels"` + AuthenticationMethod AuthenticationMethod `json:"AuthenticationMethod"` + LDAPSettings LDAPSettings `json:"LDAPSettings"` + OAuthSettings OAuthSettings `json:"OAuthSettings"` + AllowBindMountsForRegularUsers bool `json:"AllowBindMountsForRegularUsers"` + AllowPrivilegedModeForRegularUsers bool `json:"AllowPrivilegedModeForRegularUsers"` + AllowVolumeBrowserForRegularUsers bool `json:"AllowVolumeBrowserForRegularUsers"` + SnapshotInterval string `json:"SnapshotInterval"` + TemplatesURL string `json:"TemplatesURL"` + EnableHostManagementFeatures bool `json:"EnableHostManagementFeatures"` + EdgeAgentCheckinInterval int `json:"EdgeAgentCheckinInterval"` + EnableEdgeComputeFeatures bool `json:"EnableEdgeComputeFeatures"` + DisableStackManagementForRegularUsers bool `json:"DisableStackManagementForRegularUsers"` // Deprecated fields DisplayDonationHeader bool diff --git a/app/docker/components/dockerSidebarContent/docker-sidebar-content.js b/app/docker/components/dockerSidebarContent/docker-sidebar-content.js index b57e4cdcb..5c3eaac3f 100644 --- a/app/docker/components/dockerSidebarContent/docker-sidebar-content.js +++ b/app/docker/components/dockerSidebarContent/docker-sidebar-content.js @@ -6,5 +6,6 @@ angular.module('portainer.docker').component('dockerSidebarContent', { standaloneManagement: '<', adminAccess: '<', offlineMode: '<', + hideStacks: '<', }, }); diff --git a/app/docker/components/dockerSidebarContent/dockerSidebarContent.html b/app/docker/components/dockerSidebarContent/dockerSidebarContent.html index c5aec5434..2b7915c6a 100644 --- a/app/docker/components/dockerSidebarContent/dockerSidebarContent.html +++ b/app/docker/components/dockerSidebarContent/dockerSidebarContent.html @@ -4,7 +4,7 @@
  • App Templates
    • -
  • +
  • Stacks
  • diff --git a/app/portainer/components/datatables/stacks-datatable/stacksDatatable.html b/app/portainer/components/datatables/stacks-datatable/stacksDatatable.html index a4010af61..f99963368 100644 --- a/app/portainer/components/datatables/stacks-datatable/stacksDatatable.html +++ b/app/portainer/components/datatables/stacks-datatable/stacksDatatable.html @@ -2,7 +2,7 @@
    -
    {{ $ctrl.titleText }}
    +
    {{ $ctrl.titleText }}
    Settings @@ -52,7 +52,7 @@ > Remove -
    @@ -144,7 +144,10 @@
    -
    {{ $ctrl.state.selectedItemCount }} item(s) selected
    +
    + {{ $ctrl.state.selectedItemCount }} + item(s) selected +
    diff --git a/app/portainer/components/datatables/stacks-datatable/stacksDatatable.js b/app/portainer/components/datatables/stacks-datatable/stacksDatatable.js index 1e1e11c98..65bbc1bef 100644 --- a/app/portainer/components/datatables/stacks-datatable/stacksDatatable.js +++ b/app/portainer/components/datatables/stacks-datatable/stacksDatatable.js @@ -12,5 +12,6 @@ angular.module('portainer.app').component('stacksDatatable', { removeAction: '<', offlineMode: '<', refreshCallback: '<', + createEnabled: '<', }, }); diff --git a/app/portainer/models/settings.js b/app/portainer/models/settings.js index 7a6324005..1fc49b34c 100644 --- a/app/portainer/models/settings.js +++ b/app/portainer/models/settings.js @@ -13,6 +13,7 @@ export function SettingsViewModel(data) { this.EnableHostManagementFeatures = data.EnableHostManagementFeatures; this.EdgeAgentCheckinInterval = data.EdgeAgentCheckinInterval; this.EnableEdgeComputeFeatures = data.EnableEdgeComputeFeatures; + this.DisableStackManagementForRegularUsers = data.DisableStackManagementForRegularUsers; } export function PublicSettingsViewModel(settings) { @@ -25,6 +26,7 @@ export function PublicSettingsViewModel(settings) { this.EnableEdgeComputeFeatures = settings.EnableEdgeComputeFeatures; this.LogoURL = settings.LogoURL; this.OAuthLoginURI = settings.OAuthLoginURI; + this.DisableStackManagementForRegularUsers = settings.DisableStackManagementForRegularUsers; } export function LDAPSettingsViewModel(data) { diff --git a/app/portainer/services/stateManager.js b/app/portainer/services/stateManager.js index 1fda3ae68..3d52085ae 100644 --- a/app/portainer/services/stateManager.js +++ b/app/portainer/services/stateManager.js @@ -76,6 +76,11 @@ angular.module('portainer.app').factory('StateManager', [ LocalStorage.storeApplicationState(state.application); }; + manager.updateDisableStackManagementForRegularUsers = function updateDisableStackManagementForRegularUsers(disableStackManagementForRegularUsers) { + state.application.disableStackManagementForRegularUsers = disableStackManagementForRegularUsers; + LocalStorage.storeApplicationState(state.application); + }; + function assignStateFromStatusAndSettings(status, settings) { state.application.authentication = status.Authentication; state.application.analytics = status.Analytics; @@ -87,6 +92,7 @@ angular.module('portainer.app').factory('StateManager', [ state.application.enableHostManagementFeatures = settings.EnableHostManagementFeatures; state.application.enableVolumeBrowserForNonAdminUsers = settings.AllowVolumeBrowserForRegularUsers; state.application.enableEdgeComputeFeatures = settings.EnableEdgeComputeFeatures; + state.application.disableStackManagementForRegularUsers = settings.DisableStackManagementForRegularUsers; state.application.validity = moment().unix(); } diff --git a/app/portainer/views/settings/settings.html b/app/portainer/views/settings/settings.html index 3f3da4b74..3875df8a4 100644 --- a/app/portainer/views/settings/settings.html +++ b/app/portainer/views/settings/settings.html @@ -120,6 +120,16 @@
    +
    +
    + + +
    +
    diff --git a/app/portainer/views/settings/settingsController.js b/app/portainer/views/settings/settingsController.js index eba237506..43e326eab 100644 --- a/app/portainer/views/settings/settingsController.js +++ b/app/portainer/views/settings/settingsController.js @@ -33,6 +33,7 @@ angular.module('portainer.app').controller('SettingsController', [ enableHostManagementFeatures: false, enableVolumeBrowser: false, enableEdgeComputeFeatures: false, + disableStackManagementForRegularUsers: false, }; $scope.removeFilteredContainerLabel = function (index) { @@ -69,6 +70,7 @@ angular.module('portainer.app').controller('SettingsController', [ settings.AllowVolumeBrowserForRegularUsers = $scope.formValues.enableVolumeBrowser; settings.EnableHostManagementFeatures = $scope.formValues.enableHostManagementFeatures; settings.EnableEdgeComputeFeatures = $scope.formValues.enableEdgeComputeFeatures; + settings.DisableStackManagementForRegularUsers = $scope.formValues.disableStackManagementForRegularUsers; $scope.state.actionInProgress = true; updateSettings(settings); @@ -83,6 +85,7 @@ angular.module('portainer.app').controller('SettingsController', [ StateManager.updateEnableHostManagementFeatures(settings.EnableHostManagementFeatures); StateManager.updateEnableVolumeBrowserForNonAdminUsers(settings.AllowVolumeBrowserForRegularUsers); StateManager.updateEnableEdgeComputeFeatures(settings.EnableEdgeComputeFeatures); + StateManager.updateDisableStackManagementForRegularUsers(settings.DisableStackManagementForRegularUsers); $state.reload(); }) .catch(function error(err) { @@ -109,6 +112,7 @@ angular.module('portainer.app').controller('SettingsController', [ $scope.formValues.enableVolumeBrowser = settings.AllowVolumeBrowserForRegularUsers; $scope.formValues.enableHostManagementFeatures = settings.EnableHostManagementFeatures; $scope.formValues.enableEdgeComputeFeatures = settings.EnableEdgeComputeFeatures; + $scope.formValues.disableStackManagementForRegularUsers = settings.DisableStackManagementForRegularUsers; }) .catch(function error(err) { Notifications.error('Failure', err, 'Unable to retrieve application settings'); diff --git a/app/portainer/views/sidebar/sidebar.html b/app/portainer/views/sidebar/sidebar.html index 8e1a3f4d9..3a2d13666 100644 --- a/app/portainer/views/sidebar/sidebar.html +++ b/app/portainer/views/sidebar/sidebar.html @@ -16,6 +16,7 @@
    diff --git a/app/portainer/views/stacks/stacksController.js b/app/portainer/views/stacks/stacksController.js index 51df14d77..62c2c42a5 100644 --- a/app/portainer/views/stacks/stacksController.js +++ b/app/portainer/views/stacks/stacksController.js @@ -1,65 +1,85 @@ -angular.module('portainer.app').controller('StacksController', [ - '$scope', - '$state', - 'Notifications', - 'StackService', - 'ModalService', - 'EndpointProvider', - function ($scope, $state, Notifications, StackService, ModalService, EndpointProvider) { - $scope.removeAction = function (selectedItems) { - ModalService.confirmDeletion('Do you want to remove the selected stack(s)? Associated services will be removed as well.', function onConfirm(confirmed) { - if (!confirmed) { - return; - } - deleteSelectedStacks(selectedItems); - }); - }; +angular.module('portainer.app').controller('StacksController', StacksController); - function deleteSelectedStacks(stacks) { - var endpointId = EndpointProvider.endpointID(); - var actionCount = stacks.length; - angular.forEach(stacks, function (stack) { - StackService.remove(stack, stack.External, endpointId) - .then(function success() { - Notifications.success('Stack successfully removed', stack.Name); - var index = $scope.stacks.indexOf(stack); - $scope.stacks.splice(index, 1); - }) - .catch(function error(err) { - Notifications.error('Failure', err, 'Unable to remove stack ' + stack.Name); - }) - .finally(function final() { - --actionCount; - if (actionCount === 0) { - $state.reload(); - } - }); - }); - } +/* @ngInject */ +function StacksController($scope, $state, Notifications, StackService, ModalService, EndpointProvider, Authentication, StateManager, ExtensionService) { + $scope.removeAction = function (selectedItems) { + ModalService.confirmDeletion('Do you want to remove the selected stack(s)? Associated services will be removed as well.', function onConfirm(confirmed) { + if (!confirmed) { + return; + } + deleteSelectedStacks(selectedItems); + }); + }; - $scope.offlineMode = false; - - $scope.getStacks = getStacks; - function getStacks() { - var endpointMode = $scope.applicationState.endpoint.mode; - var endpointId = EndpointProvider.endpointID(); - - StackService.stacks(true, endpointMode.provider === 'DOCKER_SWARM_MODE' && endpointMode.role === 'MANAGER', endpointId) - .then(function success(data) { - var stacks = data; - $scope.stacks = stacks; - $scope.offlineMode = EndpointProvider.offlineMode(); + function deleteSelectedStacks(stacks) { + var endpointId = EndpointProvider.endpointID(); + var actionCount = stacks.length; + angular.forEach(stacks, function (stack) { + StackService.remove(stack, stack.External, endpointId) + .then(function success() { + Notifications.success('Stack successfully removed', stack.Name); + var index = $scope.stacks.indexOf(stack); + $scope.stacks.splice(index, 1); }) .catch(function error(err) { - $scope.stacks = []; - Notifications.error('Failure', err, 'Unable to retrieve stacks'); + Notifications.error('Failure', err, 'Unable to remove stack ' + stack.Name); + }) + .finally(function final() { + --actionCount; + if (actionCount === 0) { + $state.reload(); + } }); + }); + } + + $scope.offlineMode = false; + $scope.createEnabled = false; + + $scope.getStacks = getStacks; + + function getStacks() { + var endpointMode = $scope.applicationState.endpoint.mode; + var endpointId = EndpointProvider.endpointID(); + + StackService.stacks(true, endpointMode.provider === 'DOCKER_SWARM_MODE' && endpointMode.role === 'MANAGER', endpointId) + .then(function success(data) { + var stacks = data; + $scope.stacks = stacks; + $scope.offlineMode = EndpointProvider.offlineMode(); + }) + .catch(function error(err) { + $scope.stacks = []; + Notifications.error('Failure', err, 'Unable to retrieve stacks'); + }); + } + + async function loadCreateEnabled() { + const appState = StateManager.getState().application; + if (!appState.disableStackManagementForRegularUsers) { + return true; } - function initView() { - getStacks(); + let isAdmin = true; + if (appState.authentication) { + isAdmin = Authentication.isAdmin(); + } + if (isAdmin) { + return true; } - initView(); - }, -]); + const RBACExtensionEnabled = await ExtensionService.extensionEnabled(ExtensionService.EXTENSIONS.RBAC); + if (!RBACExtensionEnabled) { + return false; + } + + return Authentication.hasAuthorizations(['EndpointResourcesAccess']); + } + + async function initView() { + getStacks(); + $scope.createEnabled = await loadCreateEnabled(); + } + + initView(); +}