Skip to content

Prevent cluster groups from being deleted when referenced by a projects' configuration #15119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Mar 17, 2025
Merged

Prevent cluster groups from being deleted when referenced by a projects' configuration #15119

merged 10 commits into from
Mar 17, 2025

Conversation

markylaing
Copy link
Contributor

Adds an API extension clustering_groups_used_by and adds a UsedBy field to api.ClusterGroup. On GET requests, the UsedBy URLs are projects that contain the cluster group in restricted.cluster.groups. DELETE requests will fail if the cluster group is used by a project.

Closes #15118

@markylaing markylaing added the Bug Confirmed to be a bug label Mar 6, 2025
@markylaing markylaing self-assigned this Mar 6, 2025
@github-actions github-actions bot added Documentation Documentation needs updating API Changes to the REST API labels Mar 6, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 6, 2025
View reviewed changes
tomponline
tomponline reviewed Mar 10, 2025
View reviewed changes
tomponline
tomponline requested changes Mar 10, 2025
View reviewed changes
Copy link
Member

@tomponline tomponline left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, except the SQL injection flaw ;)

@markylaing
Copy link
Contributor Author

Looks good, except the SQL injection flaw ;)

Whoopsie 😆 Thank you CodeQL 🙏 Not sure how I convinced myself that this was ok...

@markylaing markylaing force-pushed the cluster-group-used-by branch 2 times, most recently from bac19b8 to 2e939e5 Compare March 14, 2025 12:11
tomponline
tomponline reviewed Mar 14, 2025
View reviewed changes
tomponline
tomponline reviewed Mar 14, 2025
View reviewed changes
tomponline
tomponline reviewed Mar 14, 2025
View reviewed changes
@markylaing markylaing force-pushed the cluster-group-used-by branch from 2e939e5 to c78bd05 Compare March 14, 2025 16:14
@markylaing markylaing requested a review from tomponline March 14, 2025 16:14
@tomponline
Copy link
Member

Static analysis failure

markylaing added 10 commits March 17, 2025 05:44
@markylaing
doc: Adds clustering_groups_used_by API extension.
4c6235a 
Signed-off-by: Mark Laing <[email protected]>

# Conflicts:
#	doc/api-extensions.md
#	shared/version/api.go
@markylaing
shared/api: Add used-by field to cluster group.
e807fd1 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
doc/rest-api: Refresh swagger YAML
13ca0cc 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/db: Remove ClusterGroupToAPI function.
0799191 
This duplicates `(*cluster.ClusterGroup).ToAPI`.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/db/cluster: Add GetClusterGroupUsedBy function.
53286fb 
This function queries for projects that have the group name
present in the value for the config key `restricted.cluster.groups`.
Then it parses the config value properly to check for an exact match.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd/db/cluster: Update (*ClusterGroup).ToAPI to return used by.
9330d71 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Fix make usage in cluster APIs.
29941e4 
When calling `make` we should have the form:

    make([]<type>, 0,<expected_length>)

and then append to it. Otherwise we risk having uninitialised elements
(e.g. by accidentally appending instead).

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Return cluster group used-by on GET requests.
f2322a2 
This includes a small refactor of `GET /1.0/cluster/groups`
where the handler was unnecessarily iterating over the list of
groups twice.

Signed-off-by: Mark Laing <[email protected]>
@markylaing
lxd: Prevent cluster group deletion when referenced by a project.
1854842 
Signed-off-by: Mark Laing <[email protected]>
@markylaing
test/suites: Test that a cluster group cannot be deleted when referen…
9c38fc5 
…ced by a project.

Signed-off-by: Mark Laing <[email protected]>
@markylaing markylaing force-pushed the cluster-group-used-by branch from c78bd05 to 9c38fc5 Compare March 17, 2025 05:47
@markylaing
Copy link
Contributor Author

Static analysis failure

Fixed.

tomponline
tomponline approved these changes Mar 17, 2025
View reviewed changes
Copy link
Member

@tomponline tomponline left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@tomponline tomponline merged commit 835fe31 into canonical:main Mar 17, 2025
2 checks passed
@markylaing markylaing mentioned this pull request Apr 15, 2025
Merged
tomponline added a commit that referenced this pull request Apr 15, 2025
@tomponline
Auth: Filter cluster group used by URLs (#15396)
93f8ec9 
Follow up to #15119

Cluster group used-by URLs we're not being filtered by what the caller
is able to view. This allowed restricted users to see the URLs of
projects that they do not have access to.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomponline tomponline tomponline approved these changes

Assignees

@markylaing markylaing

Labels
API Changes to the REST API Bug Confirmed to be a bug Documentation Documentation needs updating
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

project config 'restricted.cluster.groups' not checked when deleting a cluster group
2 participants
@markylaing @tomponline