feat(adminui): editable DB-backed LDAP role map (global, FleetAdmin-gated)
This commit is contained in:
Joseph Doherty
@@ -1,33 +1,21 @@
|
|||||||
@page "/role-grants"
|
@page "/role-grants"
|
||||||
@* Per Q4 of the AdminUI rebuild plan, v2 replaced v1's per-cluster RoleGrants table with a
|
@attribute [Microsoft.AspNetCore.Authorization.Authorize(Policy = "FleetAdmin")]
|
||||||
fleet-wide LDAP-group → role map. This page surfaces the mapping read-only; the source of
|
|
||||||
truth is Authentication:Ldap:GroupToRole in appsettings (editable on the host filesystem, not
|
|
||||||
from the UI yet). *@
|
|
||||||
@attribute [Microsoft.AspNetCore.Authorization.Authorize]
|
|
||||||
@rendermode RenderMode.InteractiveServer
|
@rendermode RenderMode.InteractiveServer
|
||||||
@using Microsoft.Extensions.Options
|
@using Microsoft.Extensions.Options
|
||||||
|
@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
|
||||||
|
@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
|
||||||
|
@using ZB.MOM.WW.OtOpcUa.Configuration.Services
|
||||||
@using ZB.MOM.WW.OtOpcUa.Security.Ldap
|
@using ZB.MOM.WW.OtOpcUa.Security.Ldap
|
||||||
@inject IOptionsSnapshot<LdapOptions> Ldap
|
@inject IOptionsSnapshot<LdapOptions> Ldap
|
||||||
|
@inject ILdapGroupRoleMappingService RoleMappings
|
||||||
|
|
||||||
<div class="d-flex justify-content-between align-items-center mb-3">
|
<div class="d-flex justify-content-between align-items-center mb-3">
|
||||||
<h4 class="mb-0">Role grants</h4>
|
<h4 class="mb-0">Role grants</h4>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<section class="panel notice rise" style="animation-delay:.02s">
|
@if (_options is not null)
|
||||||
LDAP group membership determines fleet roles. Edit the mapping in
|
|
||||||
<span class="mono">appsettings.json</span> under <span class="mono">Authentication:Ldap:GroupToRole</span>
|
|
||||||
and restart the admin node (or sign out + back in for cached claims to refresh). UI-driven
|
|
||||||
editing of the mapping is deferred — it implies a config-reload mechanism that doesn't exist
|
|
||||||
yet.
|
|
||||||
</section>
|
|
||||||
|
|
||||||
@if (_options is null)
|
|
||||||
{
|
{
|
||||||
<p>Loading…</p>
|
<section class="card-grid rise" style="animation-delay:.02s">
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
<section class="card-grid rise mt-3" style="animation-delay:.08s">
|
|
||||||
<div class="metric-card">
|
<div class="metric-card">
|
||||||
<div class="panel-head">LDAP binding</div>
|
<div class="panel-head">LDAP binding</div>
|
||||||
<div class="kv"><span class="k">Enabled</span><span class="v">@(_options.Enabled ? "yes" : "no")</span></div>
|
<div class="kv"><span class="k">Enabled</span><span class="v">@(_options.Enabled ? "yes" : "no")</span></div>
|
||||||
@@ -40,16 +28,61 @@ else
|
|||||||
}
|
}
|
||||||
</div>
|
</div>
|
||||||
</section>
|
</section>
|
||||||
|
}
|
||||||
|
|
||||||
|
<section class="panel rise mt-3" style="animation-delay:.08s">
|
||||||
|
<div class="panel-head">Group → role (database)</div>
|
||||||
|
<div style="padding:1rem">
|
||||||
|
<div class="d-flex gap-2 align-items-center flex-wrap">
|
||||||
|
<input class="form-control form-control-sm mono" style="max-width:32rem"
|
||||||
|
@bind="_newGroup" placeholder="cn=fleet-admin,ou=groups,..." />
|
||||||
|
<select class="form-select form-select-sm" style="max-width:14rem" @bind="_newRole">
|
||||||
|
@foreach (var role in Enum.GetValues<AdminRole>())
|
||||||
|
{
|
||||||
|
<option value="@role">@role</option>
|
||||||
|
}
|
||||||
|
</select>
|
||||||
|
<button class="btn btn-sm btn-primary" @onclick="AddAsync" disabled="@_busy">Add</button>
|
||||||
|
</div>
|
||||||
|
@if (_error is not null)
|
||||||
|
{
|
||||||
|
<div class="text-danger small mt-2">@_error</div>
|
||||||
|
}
|
||||||
|
</div>
|
||||||
|
<div class="table-wrap">
|
||||||
|
<table class="data-table">
|
||||||
|
<thead><tr><th>LDAP group</th><th>Role</th><th></th></tr></thead>
|
||||||
|
<tbody>
|
||||||
|
@if (_rows.Count == 0)
|
||||||
|
{
|
||||||
|
<tr><td colspan="3" class="text-muted">No database role grants. Authentication falls back to the appsettings map below.</td></tr>
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
@foreach (var r in _rows)
|
||||||
|
{
|
||||||
|
<tr>
|
||||||
|
<td><span class="mono">@r.LdapGroup</span></td>
|
||||||
|
<td><span class="chip chip-idle">@r.Role</span></td>
|
||||||
|
<td><button class="btn btn-sm btn-link text-danger" @onclick="() => DeleteAsync(r.Id)" disabled="@_busy">Delete</button></td>
|
||||||
|
</tr>
|
||||||
|
}
|
||||||
|
}
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
@if (_options is not null)
|
||||||
|
{
|
||||||
<section class="panel rise mt-3" style="animation-delay:.14s">
|
<section class="panel rise mt-3" style="animation-delay:.14s">
|
||||||
<div class="panel-head">Group → role mapping (@(_options.GroupToRole?.Count ?? 0))</div>
|
<div class="panel-head">Fallback (appsettings) (@(_options.GroupToRole?.Count ?? 0))</div>
|
||||||
|
<div style="padding:1rem 1rem 0" class="text-muted small">
|
||||||
|
These <span class="mono">Authentication:Ldap:GroupToRole</span> entries apply when a group has no database row above.
|
||||||
|
</div>
|
||||||
@if (_options.GroupToRole is null || _options.GroupToRole.Count == 0)
|
@if (_options.GroupToRole is null || _options.GroupToRole.Count == 0)
|
||||||
{
|
{
|
||||||
<div style="padding:1rem" class="text-muted">
|
<div style="padding:1rem" class="text-muted">No appsettings fallback mapping configured.</div>
|
||||||
No mapping configured. Every authenticated user lands with zero roles —
|
|
||||||
the fallback authorization policy will refuse every request. Add a
|
|
||||||
<span class="mono">GroupToRole</span> entry before deploying.
|
|
||||||
</div>
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
@@ -73,9 +106,45 @@ else
|
|||||||
|
|
||||||
@code {
|
@code {
|
||||||
private LdapOptions? _options;
|
private LdapOptions? _options;
|
||||||
|
private IReadOnlyList<LdapGroupRoleMapping> _rows = [];
|
||||||
|
private string _newGroup = "";
|
||||||
|
private AdminRole _newRole = AdminRole.ConfigViewer;
|
||||||
|
private string? _error;
|
||||||
|
private bool _busy;
|
||||||
|
|
||||||
protected override void OnInitialized()
|
protected override async Task OnInitializedAsync()
|
||||||
{
|
{
|
||||||
_options = Ldap.Value;
|
_options = Ldap.Value;
|
||||||
|
await ReloadAsync();
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task ReloadAsync()
|
||||||
|
=> _rows = (await RoleMappings.ListAllAsync(default)).Where(r => r.IsSystemWide).ToList();
|
||||||
|
|
||||||
|
private async Task AddAsync()
|
||||||
|
{
|
||||||
|
_error = null;
|
||||||
|
if (string.IsNullOrWhiteSpace(_newGroup)) { _error = "LDAP group is required."; return; }
|
||||||
|
_busy = true;
|
||||||
|
try
|
||||||
|
{
|
||||||
|
await RoleMappings.CreateAsync(new LdapGroupRoleMapping
|
||||||
|
{
|
||||||
|
LdapGroup = _newGroup.Trim(), Role = _newRole, IsSystemWide = true, ClusterId = null,
|
||||||
|
}, default);
|
||||||
|
_newGroup = "";
|
||||||
|
_newRole = AdminRole.ConfigViewer;
|
||||||
|
await ReloadAsync();
|
||||||
|
}
|
||||||
|
catch (Exception ex) { _error = ex.Message; }
|
||||||
|
finally { _busy = false; }
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task DeleteAsync(Guid id)
|
||||||
|
{
|
||||||
|
_error = null; _busy = true;
|
||||||
|
try { await RoleMappings.DeleteAsync(id, default); await ReloadAsync(); }
|
||||||
|
catch (Exception ex) { _error = ex.Message; }
|
||||||
|
finally { _busy = false; }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user