ClearML/clearml-server
1
0
Fork 0
mirror of https://github.com/clearml/clearml-server synced 2025-04-19 05:34:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Revoke built-in webserver system-role credentials (used by the WebApp) in case we're running in fixed-mode

Browse Source
This commit is contained in:
allegroai 2020-06-01 11:41:43 +03:00
parent b125a56f86
commit c17b10ff1d
2 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
server/mongo/initialize/__init__.py
View File

@ -48,17 +48,21 @@ def init_mongo_data():
"name": "webserver", "name": "webserver",
"role": Role.system, "role": Role.system,
"email": "webserver@example.com", "email": "webserver@example.com",
"revoke_in_fixed_mode": True,
}, },
{"name": "tests", "role": Role.user, "email": "tests@example.com"}, {"name": "tests", "role": Role.user, "email": "tests@example.com"},
] ]
fixed_mode = FixedUser.enabled()
for user in users: for user in users:
revoke = fixed_mode and user.pop("revoke_in_fixed_mode", False)
credentials = config.get(f"secure.credentials.{user['name']}") credentials = config.get(f"secure.credentials.{user['name']}")
user["key"] = credentials.user_key user["key"] = credentials.user_key
user["secret"] = credentials.user_secret user["secret"] = credentials.user_secret
_ensure_auth_user(user, company_id, log=log) _ensure_auth_user(user, company_id, log=log, revoke=revoke)
if FixedUser.enabled(): if fixed_mode:
log.info("Fixed users mode is enabled") log.info("Fixed users mode is enabled")
FixedUser.validate() FixedUser.validate()
for user in FixedUser.from_config(): for user in FixedUser.from_config():

11
server/mongo/initialize/user.py
View File

@ -9,7 +9,7 @@ from database.model.user import User
from service_repo.auth.fixed_user import FixedUser from service_repo.auth.fixed_user import FixedUser
def _ensure_auth_user(user_data: dict, company_id: str, log: Logger): def _ensure_auth_user(user_data: dict, company_id: str, log: Logger, revoke: bool = False):
ensure_credentials = {"key", "secret"}.issubset(user_data) ensure_credentials = {"key", "secret"}.issubset(user_data)
if ensure_credentials: if ensure_credentials:
user = AuthUser.objects( user = AuthUser.objects(
@ -18,17 +18,22 @@ def _ensure_auth_user(user_data: dict, company_id: str, log: Logger):
) )
).first() ).first()
if user: if user:
if revoke:
user.credentials = []
user.save()
return user.id return user.id
user_id = user_data.get("id", f"__{user_data['name']}__")
log.info(f"Creating user: {user_data['name']}") log.info(f"Creating user: {user_data['name']}")
user = AuthUser( user = AuthUser(
id=user_data.get("id", f"__{user_data['name']}__"), id=user_id,
name=user_data["name"], name=user_data["name"],
company=company_id, company=company_id,
role=user_data["role"], role=user_data["role"],
email=user_data["email"], email=user_data["email"],
created=datetime.utcnow(), created=datetime.utcnow(),
credentials=[Credentials(key=user_data["key"], secret=user_data["secret"])] credentials=[Credentials(key=user_data["key"], secret=user_data["secret"])] if not revoke else []
if ensure_credentials if ensure_credentials
else None, else None,
) )