Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NAS-133042 / 25.04 / Lock out plugins when in GPOS STIG mode #15178

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

NAS-133042 / 25.04 / Lock out plugins when in GPOS STIG mode #15178

wants to merge 3 commits into from
+306 −158

Conversation

anodos325
Copy link
Contributor

@anodos325 anodos325 commented Dec 11, 2024
edited
Loading

Certain TrueNAS features are incompatible with requirements for
the GPOS STIG. This commit makes changes to our RBAC framework
to decrease effective privileges granted to all credentials to
prevent configuring non-compliant services and to give UI hints
about which features to disable.

As a result of these changes, the allowlist column is dropped
from the privilege table. Internally our credentials still
generate an allowlist in order to perform RBAC checks

@anodos325 anodos325 added the WIP label Dec 11, 2024
@anodos325 anodos325 force-pushed the gpos-privilege branch 2 times, most recently from 4e35d4e to 7e3fdd0 Compare December 11, 2024 21:48
@anodos325 anodos325 added the jira label Dec 11, 2024
@bugclerk
Copy link
Contributor

Jira URL: https://ixsystems.atlassian.net/browse/NAS-133042

@bugclerk bugclerk changed the title Lock out plugins when in GPOS STIG mode NAS-133042 / 25.04 / Lock out plugins when in GPOS STIG mode Dec 11, 2024
billohanlon
billohanlon approved these changes Dec 11, 2024
View reviewed changes
Copy link

@billohanlon billohanlon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@anodos325 anodos325 force-pushed the gpos-privilege branch 4 times, most recently from 3bc2ccb to 59b3fd1 Compare December 12, 2024 18:31
@anodos325
Lock out plugins when in GPOS STIG mode
e9fd646 
Certain TrueNAS features are incompatibile with requirements for
the GPOS STIG. This commit makes changes to our RBAC framework
to decrease effective privileges granted to all credentials to
prevent configuring non-compliant services and to give UI hints
about which features to disable.

As a result of these changes, the allowlist column is dropped
from the privilege table. Internally our credentials still
generate an allowlist in order to perform RBAC checks.

The allowlist changes have a functional impact on privilege
framework regarding REST API access. After these changes,
only credentials with FULL_ADMIN privilege will be allowed
REST access and only when server does not have STIG rules
applied.
@anodos325
Fix a few more tests
05ed97b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@billohanlon billohanlon billohanlon approved these changes

Assignees
No one assigned
Labels
jira WIP
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anodos325 @bugclerk @billohanlon