MXS-1354: Add user authorization to maxadmin

All commands that modify the internal state of MaxScale now require admin level authorization.
2017-08-16 14:29:58 +03:00
parent 9f81f0775f
commit 828649ba99
5 changed files with 66 additions and 6 deletions
--- a/server/modules/protocol/maxscaled/maxscaled.c
+++ b/server/modules/protocol/maxscaled/maxscaled.c
@ -241,7 +241,12 @@ static int maxscaled_read_event(DCB* dcb)
                {
                case MAXSCALED_STATE_LOGIN:
                    {
-                        maxscaled->username = strndup((char*)GWBUF_DATA(head), GWBUF_LENGTH(head));
+                        size_t len = GWBUF_LENGTH(head);
+                        char user[len + 1];
+                        memcpy(user, GWBUF_DATA(head), len);
+                        user[len] = '\0';
+                        maxscaled->username = MXS_STRDUP_A(user);
+                        dcb->user = MXS_STRDUP_A(user);
                        maxscaled->state = MAXSCALED_STATE_PASSWD;
                        dcb_printf(dcb, MAXADMIN_AUTH_PASSWORD_PROMPT);
                        gwbuf_free(head);
--- a/server/modules/routing/debugcli/debugcmd.c
+++ b/server/modules/routing/debugcli/debugcmd.c
@ -1774,6 +1774,11 @@ static struct
    { NULL,         NULL    }
 };

+static bool command_requires_admin_privileges(const char* cmd)
+{
+    return strcmp(cmd, "list") != 0 && strcmp(cmd, "show") != 0;
+}
+
 /**
 * Convert a string argument to a numeric, observing prefixes
 * for number bases, e.g. 0x for hex, 0 for octal
@ -1846,6 +1851,28 @@ static void free_arg(int arg_type, void *value)
    }
 }

+static bool user_is_authorized(DCB* dcb)
+{
+    bool rval = true;
+
+    if (strcmp(dcb->remote, "localhost") == 0)
+    {
+        if (!admin_user_is_unix_admin(dcb->user))
+        {
+            rval = false;
+        }
+    }
+    else
+    {
+        if (!admin_user_is_inet_admin(dcb->user))
+        {
+            rval = false;
+        }
+    }
+
+    return rval;
+}
+
 static SPINLOCK debugcmd_lock = SPINLOCK_INIT;

 static const char item_separator[] =
@ -2006,6 +2033,13 @@ execute_cmd(CLI_SESSION *cli)
                    {
                        found = 1; /**< command and sub-command match */

+                        if (command_requires_admin_privileges(cmds[i].cmd) &&
+                            !user_is_authorized(dcb))
+                        {
+                            dcb_printf(dcb, "Access denied, administrative privileges required.\n");
+                            break;
+                        }
+
                        if (cmds[i].options[j].argc_min == cmds[i].options[j].argc_max &&
                            argc != cmds[i].options[j].argc_min)
                        {