Prevent non hyper-v admin users to execute machine commands #27650
Conversation
|
@l0rd PTAL |
| assert.Equal(t, []define.VMType{define.AppleHvVirt, define.LibKrun}, SupportedProviders()) | ||
| case "windows": | ||
| assert.Equal(t, []define.VMType{define.WSLVirt, define.HyperVVirt}, SupportedProviders()) | ||
| assert.Equal(t, []define.VMType{define.HyperVVirt, define.WSLVirt}, SupportedProviders()) |
There was a problem hiding this comment.
Bc SupportedProviders() returns []define.VMType{define.HyperVVirt, define.WSLVirt} and assert.Equal performs a strict comparison so the items order matters. It failed the way it was written.
There was a problem hiding this comment.
Can't you use assert.ElementsMatch or similar? I dislike having tests be this fragile.
| // Variables to hold permission check functions for testing purposes. | ||
| var ( | ||
| hasAdminRightsFunc = windows.HasAdminRights | ||
| hasHyperVAdminRightsFunc = hyperv.HasHyperVAdminRights |
There was a problem hiding this comment.
These don't seem to add much as written. It seems like a single functioning combining both would be more useful, and line 86 could just be windows.HasAdminRights()
There was a problem hiding this comment.
@lstocchi you could add a new hyperv.CanList() function similar to the hyperv.canCreate() where you hide the logic.
There was a problem hiding this comment.
done. I named it HasHyperVPermissions as it's more generic and not just related to list, let me know
| new(wsl.WSLStubber), | ||
| new(hyperv.HyperVStubber), | ||
| } | ||
| if hasAdminRightsFunc() || hasHyperVAdminRightsFunc() { |
There was a problem hiding this comment.
I am struggling with the logic here if I am a user. If I don't have permissions, should it not exist? Earlier, when we returned an error, that certainly made sense to me.
There was a problem hiding this comment.
They have two different purposes imo. Above (GetByVMType()) returns an error because user is explicitly executing a command and if they do not have rights to do so we stop them and return an error.
GetAll is more a discovery thing. It is used by the list command. If someone wants to list machines, it's annoying to show an error message, maybe they're just interested to WSL. So if you don't have permissions to work with Hyper-V it skips it. Hyper-v console works the same - if you don't have the rights you see nothing.
There was a problem hiding this comment.
This is about podman machine ls, and the problem has changed in 6.0. If the user doesn't have privileges we still want to list WSL machines.
But we should indeed fail when the user specifies --provider hyperv. And if the default provider is hyperv too.
Update GetAll() and GetByVMType() to add a check to prevent non hyper-v admin users to interact with hyperv machines. Users can work with hyperv machines only with elevated rights or if members of the hyperv administrators group Signed-off-by: lstocchi <lstocchi@redhat.com>
fixes broken windows tests and enables them to be run on windows CI Signed-off-by: lstocchi <lstocchi@redhat.com>
Signed-off-by: lstocchi <lstocchi@redhat.com>
There was a problem hiding this comment.
I did some tests and all work as expected with the expection of some corner cases.
Inspecting or starting a WSL machine, if the default provider is hyperv, fails:
> $env:CONTAINERS_MACHINE_PROVIDER="hyperv"
> podman.exe machine inspect mywslmachine`
Error: Hyper-V machines require Hyper-V admin rights...
> podman.exe machine start mywslmachine`
Error: Hyper-V machines require Hyper-V admin rights...And this is awkward because podman machine ls works and shows the WSL machines. But that may not be related to this PR.
Also commands like machine cp, machine ssh etc..., against an hyperv machine, should work too, even if the user doesn't have Hyper-V admin privileges.
That said these scenarios aren't blockers from my point of view.
|
From my point of view this PR is now mergeable as is. It's up to @lstocchi, if he has bandwidth, to fix those corner cases. Otherwise I will open an issue and we can prioritize them later. Let's wait for him to come back (today is national holiday but tomorrow he should be back). |
I think this is a change that would affect all OSes with more than 1 provider, not just Windows. I'd rather have a separate PR to test it also on macOS.
I'm going to add the change here as it seems related to this PR |
|
After discussion we decided that it was ok to merge the PR as is. I have created a separate issue #27723 /approve /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: l0rd, lstocchi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/lgtm |
4 participants
Following the work done in #26277 (which allowed init and remove operations for the "Hyper-V Administrators" group), this PR extends that logic to all actions targeting Hyper-v machines.
it resolves #27614
Checklist
Ensure you have completed the following checklist for your pull request to be reviewed:
commits. (
git commit -s). (If needed, usegit commit -s --amend). The author email must matchthe sign-off email address. See CONTRIBUTING.md
for more information.
Fixes: #00000in commit message (if applicable)make validatepr(format/lint checks)Noneif no user-facing changes)Does this PR introduce a user-facing change?