Make the device permissions explicit #78
Comments
richbayliss
pushed a commit
that referenced
this issue
Apr 17, 2019
The permission `resin.device.all` allowed any port to be tunnelled by mistake, rather than intention. This permission is now broken down to the component actions create, read, update and delete. The existing `tunnel-22222` is kept, but also added is a rule to allow the `tunnel-any` action. It is desirable that any port could be tunnelled and this permission will be checked by the connect proxy alongside the explicit port permission. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io> Connects-to: #78
richbayliss
pushed a commit
that referenced
this issue
May 17, 2019
The permission `resin.device.all` allowed any port to be tunnelled by mistake, rather than intention. This permission is now broken down to the component actions create, read, update and delete. The existing `tunnel-22222` is kept, but also added is a rule to allow the `tunnel-any` action. It is desirable that any port could be tunnelled and this permission will be checked by the connect proxy alongside the explicit port permission. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io> Connects-to: #78
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The permission
resin.device.allis allowing all ports to be available to tunnel unintentionally. This should be broken down tocreate,read,updateanddelete.Additionally we would like to keep the ability to tunnel any port, so we will add a new permission
resin.device.tunnel-anywhich can be checked for.Please see balena-io/open-balena#47 for the original issue.
The text was updated successfully, but these errors were encountered: