diff --git a/confluent_server/confluent/auth.py b/confluent_server/confluent/auth.py index b71dbb6d..2b4eaa80 100644 --- a/confluent_server/confluent/auth.py +++ b/confluent_server/confluent/auth.py @@ -75,6 +75,7 @@ _allowedbyrole = { '/node*/configuration/*', ], 'start': [ + '/sessions/current/async', '/nodes/*/console/session*', '/nodes/*/shell/sessions*', ], @@ -84,10 +85,16 @@ _allowedbyrole = { ], }, 'Monitor': { + 'start': [ + '/sessions/current/async', + ], 'retrieve': [ '/node*/health/hardware', '/node*/power/state', '/node*/sensors/*', + '/node*/attributes/current', + '/node*/description', + '/noderange/*/nodes/', '/nodes/', '/', ], diff --git a/confluent_server/confluent/httpapi.py b/confluent_server/confluent/httpapi.py index b2b692ec..ac28cbe8 100644 --- a/confluent_server/confluent/httpapi.py +++ b/confluent_server/confluent/httpapi.py @@ -451,7 +451,7 @@ def wsock_handler(ws): mythreadid = greenlet.getcurrent() httpsessions[sessid]['inflight'].add(mythreadid) name = httpsessions[sessid]['name'] - authdata = auth.authorize(name, ws.path) + authdata = auth.authorize(name, ws.path, operation='start') if not authdata: return cfgmgr = httpsessions[sessid]['cfgmgr'] @@ -481,8 +481,12 @@ def wsock_handler(ws): elif clientmsg[0] == '!': msg = json.loads(clientmsg[1:]) action = msg.get('operation', None) + targ = msg.get('target', None) + if targ: + authdata = auth.authorize(name, targ, operation=action) + if not authdata: + continue if action == 'start': - targ = msg['target'] if '/console/session' in targ or '/shell/sessions' in targ: width = msg['width'] height = msg['height']