feat: allow users with role Viewer and above to view resource quotas (#…

…9822)
determined-ai · Aug 15, 2024 · f7846cb · f7846cb
1 parent 97353c9
commit f7846cb
Show file tree

Hide file tree

Showing 14 changed files with 214 additions and 25 deletions.
diff --git a/harness/determined/common/api/bindings.py b/harness/determined/common/api/bindings.py
diff --git a/master/internal/api_workspace.go b/master/internal/api_workspace.go
@@ -1554,12 +1554,15 @@ func (a *apiServer) ListRPsBoundToWorkspace(
 func (a *apiServer) GetKubernetesResourceQuotas(
 	ctx context.Context, req *apiv1.GetKubernetesResourceQuotasRequest,
 ) (*apiv1.GetKubernetesResourceQuotasResponse, error) {
-	curUser, _, err := grpcutil.GetUser(ctx)
+	_, curUser, err := a.getWorkspaceAndCheckCanDoActions(
+		ctx, req.Id, false, workspace.AuthZProvider.Get().CanGetWorkspace,
+	)
 	if err != nil {
 		return nil, err
 	}
-	err = workspace.AuthZProvider.Get().CanGetWorkspaceID(
-		ctx, *curUser, req.Id,
+
+	err = workspace.AuthZProvider.Get().CanViewResourceQuotas(
+		ctx, curUser,
 	)
 	if err != nil {
 		return nil, err

diff --git a/master/internal/db/postgres_rbac_intg_test.go b/master/internal/db/postgres_rbac_intg_test.go
@@ -334,6 +334,26 @@ func TestPermissionMatch(t *testing.T) {
 		require.IsType(t, authz.PermissionDeniedError{}, err,
 			"user should not have permission to set resource quotas")
 
+		err = DoesPermissionMatch(ctx, userIDClusterAdmin, &workspaceID,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS)
+		require.NoError(t, err)
+
+		err = DoesPermissionMatch(ctx, userIDEditor, &workspaceID,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS)
+		require.NoError(t, err)
+
+		err = DoesPermissionMatch(ctx, userIDViewer, &workspaceID,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS)
+		require.NoError(t, err)
+
+		err = DoesPermissionMatch(ctx, userIDEditorProjectRestricted, &workspaceID,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS)
+		require.NoError(t, err)
+
+		err = DoesPermissionMatch(ctx, userIDEditorRestricted, &workspaceID,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS)
+		require.NoError(t, err)
+
 		err = DoesPermissionMatch(ctx, userIDClusterAdmin, &workspaceID,
 			rbacv1.PermissionType_PERMISSION_TYPE_SET_WORKSPACE_NAMESPACE_BINDINGS)
 		require.NoError(t, err)
@@ -402,6 +422,26 @@ func TestPermissionMatch(t *testing.T) {
 		err = DoesPermissionMatchAll(ctx, userIDClusterAdmin,
 			rbacv1.PermissionType_PERMISSION_TYPE_SET_RESOURCE_QUOTAS, workspaceID)
 		require.NoError(t, err)
+
+		err = DoesPermissionMatchAll(ctx, userIDClusterAdmin,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS, workspaceID)
+		require.NoError(t, err)
+
+		err = DoesPermissionMatchAll(ctx, userIDEditor,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS, workspaceID)
+		require.NoError(t, err)
+
+		err = DoesPermissionMatchAll(ctx, userIDViewer,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS, workspaceID)
+		require.NoError(t, err)
+
+		err = DoesPermissionMatchAll(ctx, userIDEditorProjectRestricted,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS, workspaceID)
+		require.NoError(t, err)
+
+		err = DoesPermissionMatchAll(ctx, userIDEditorRestricted,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS, workspaceID)
+		require.NoError(t, err)
 	})
 
 	t.Run("test DoesPermissionMatchAll multiple inputs no failure", func(t *testing.T) {
@@ -421,6 +461,26 @@ func TestPermissionMatch(t *testing.T) {
 		err = DoesPermissionMatchAll(ctx, userIDClusterAdmin,
 			rbacv1.PermissionType_PERMISSION_TYPE_SET_RESOURCE_QUOTAS, workspaceIDs...)
 		require.NoError(t, err, "error when searching for permissions")
+
+		err = DoesPermissionMatchAll(ctx, userIDClusterAdmin,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS, workspaceIDs...)
+		require.NoError(t, err)
+
+		err = DoesPermissionMatchAll(ctx, userIDEditor,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS, workspaceIDs...)
+		require.NoError(t, err)
+
+		err = DoesPermissionMatchAll(ctx, userIDViewer,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS, workspaceIDs...)
+		require.NoError(t, err)
+
+		err = DoesPermissionMatchAll(ctx, userIDEditorProjectRestricted,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS, workspaceIDs...)
+		require.NoError(t, err)
+
+		err = DoesPermissionMatchAll(ctx, userIDEditorRestricted,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS, workspaceIDs...)
+		require.NoError(t, err)
 	})
 
 	t.Run("test DoesPermissionMatchAll multiple inputs single failure", func(t *testing.T) {
@@ -497,6 +557,22 @@ func TestPermissionMatch(t *testing.T) {
 			rbacv1.PermissionType_PERMISSION_TYPE_SET_RESOURCE_QUOTAS)
 		require.NoError(t, err)
 
+		err = DoPermissionsExist(ctx, userIDEditor,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS)
+		require.NoError(t, err)
+
+		err = DoPermissionsExist(ctx, userIDEditorRestricted,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS)
+		require.NoError(t, err)
+
+		err = DoPermissionsExist(ctx, userIDEditorProjectRestricted,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS)
+		require.NoError(t, err)
+
+		err = DoPermissionsExist(ctx, userIDViewer,
+			rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS)
+		require.NoError(t, err)
+
 		err = DoPermissionsExist(ctx, userIDEditorRestricted,
 			rbacv1.PermissionType_PERMISSION_TYPE_UPDATE_NSC)
 		require.IsType(t, authz.PermissionDeniedError{}, err,

diff --git a/master/internal/workspace/authz_basic_impl.go b/master/internal/workspace/authz_basic_impl.go
@@ -177,6 +177,12 @@ func (a *WorkspaceAuthZBasic) CanSetResourceQuotas(ctx context.Context, curUser
 	return nil
 }
 
+// CanViewResourceQuotas returns a nil error.
+func (a *WorkspaceAuthZBasic) CanViewResourceQuotas(ctx context.Context, curUser model.User,
+) error {
+	return nil
+}
+
 // CanSetWorkspacesDefaultPools returns a nil error.
 func (a *WorkspaceAuthZBasic) CanSetWorkspacesDefaultPools(
 	ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,

diff --git a/master/internal/workspace/authz_iface.go b/master/internal/workspace/authz_iface.go
@@ -46,7 +46,7 @@ type WorkspaceAuthZ interface {
 	CanCreateWorkspaceWithCheckpointStorageConfig(ctx context.Context, curUser model.User) error
 	CanSetWorkspaceNamespaceBindings(ctx context.Context, curUser model.User) error
 	CanSetResourceQuotas(ctx context.Context, curUser model.User) error
-
+	CanViewResourceQuotas(ctx context.Context, curUser model.User) error
 	// PATCH /api/v1/workspaces/:workspace_id
 	CanSetWorkspacesName(
 		ctx context.Context, curUser model.User, workspace *workspacev1.Workspace,

diff --git a/master/internal/workspace/authz_permissive.go b/master/internal/workspace/authz_permissive.go
@@ -171,6 +171,14 @@ func (p *WorkspaceAuthZPermissive) CanSetResourceQuotas(
 	return (&WorkspaceAuthZBasic{}).CanSetResourceQuotas(ctx, curUser)
 }
 
+// CanViewResourceQuotas calls RBAC authz but enforces basic authz.
+func (p *WorkspaceAuthZPermissive) CanViewResourceQuotas(
+	ctx context.Context, curUser model.User,
+) error {
+	_ = (&WorkspaceAuthZRBAC{}).CanViewResourceQuotas(ctx, curUser)
+	return (&WorkspaceAuthZBasic{}).CanViewResourceQuotas(ctx, curUser)
+}
+
 func init() {
 	AuthZProvider.Register("permissive", &WorkspaceAuthZPermissive{})
 }
diff --git a/master/internal/workspace/authz_rbac.go b/master/internal/workspace/authz_rbac.go
@@ -397,6 +397,21 @@ func (r *WorkspaceAuthZRBAC) CanSetResourceQuotas(ctx context.Context,
 		rbacv1.PermissionType_PERMISSION_TYPE_SET_RESOURCE_QUOTAS)
 }
 
+// CanViewResourceQuotas determines whether a user can view resource quotas on a workspace.
+func (r *WorkspaceAuthZRBAC) CanViewResourceQuotas(ctx context.Context,
+	curUser model.User,
+) (err error) {
+	fields := audit.ExtractLogFields(ctx)
+	addInfoWithoutWorkspace(curUser, fields,
+		rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS)
+	defer func() {
+		audit.LogFromErr(fields, err)
+	}()
+
+	return db.DoesPermissionMatch(ctx, curUser.ID, nil,
+		rbacv1.PermissionType_PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS)
+}
+
 func hasPermissionOnWorkspace(ctx context.Context, uid model.UserID,
 	workspace *workspacev1.Workspace, permID rbacv1.PermissionType,
 ) error {

diff --git a/master/static/migrations/20240814123944_add-view-resource-quotas-permissions.tx.up.sql b/master/static/migrations/20240814123944_add-view-resource-quotas-permissions.tx.up.sql
@@ -0,0 +1,13 @@
+/* Add RBAC permissions for creating/updating/deleting namespace-workspace bindings and 
+resource quotas. */
+INSERT into permissions(id, name, global_only) VALUES 
+    (11003, 'view resource quotas', false);
+
+INSERT INTO permission_assignments(permission_id, role_id) VALUES
+    (11003, 1),
+    (11003, 2),
+    (11003, 4),
+    (11003, 5),
+    (11003, 7),
+    (11003, 8),
+    (11003, 9);
diff --git a/proto/pkg/rbacv1/rbac.pb.go b/proto/pkg/rbacv1/rbac.pb.go
diff --git a/proto/src/determined/rbac/v1/rbac.proto b/proto/src/determined/rbac/v1/rbac.proto
@@ -174,6 +174,9 @@ enum PermissionType {
 
   // Ability to set resource quotas on workspaces.
   PERMISSION_TYPE_SET_RESOURCE_QUOTAS = 11002;
+
+  // Ability to view resource quotas on workspaces.
+  PERMISSION_TYPE_VIEW_RESOURCE_QUOTAS = 11003;
 }
 
 // RoleAssignmentSummary is used to describe permissions a user has.