MXS-1354: Add user authorization to maxadmin

All commands that modify the internal state of MaxScale now require admin level authorization.
2017-08-16 14:29:58 +03:00
parent 9f81f0775f
commit 828649ba99
5 changed files with 66 additions and 6 deletions
--- a/server/modules/routing/debugcli/debugcmd.c
+++ b/server/modules/routing/debugcli/debugcmd.c
@ -1774,6 +1774,11 @@ static struct
    { NULL,         NULL    }
 };

+static bool command_requires_admin_privileges(const char* cmd)
+{
+    return strcmp(cmd, "list") != 0 && strcmp(cmd, "show") != 0;
+}
+
 /**
 * Convert a string argument to a numeric, observing prefixes
 * for number bases, e.g. 0x for hex, 0 for octal
@ -1846,6 +1851,28 @@ static void free_arg(int arg_type, void *value)
    }
 }

+static bool user_is_authorized(DCB* dcb)
+{
+    bool rval = true;
+
+    if (strcmp(dcb->remote, "localhost") == 0)
+    {
+        if (!admin_user_is_unix_admin(dcb->user))
+        {
+            rval = false;
+        }
+    }
+    else
+    {
+        if (!admin_user_is_inet_admin(dcb->user))
+        {
+            rval = false;
+        }
+    }
+
+    return rval;
+}
+
 static SPINLOCK debugcmd_lock = SPINLOCK_INIT;

 static const char item_separator[] =
@ -2006,6 +2033,13 @@ execute_cmd(CLI_SESSION *cli)
                    {
                        found = 1; /**< command and sub-command match */

+                        if (command_requires_admin_privileges(cmds[i].cmd) &&
+                            !user_is_authorized(dcb))
+                        {
+                            dcb_printf(dcb, "Access denied, administrative privileges required.\n");
+                            break;
+                        }
+
                        if (cmds[i].options[j].argc_min == cmds[i].options[j].argc_max &&
                            argc != cmds[i].options[j].argc_min)
                        {