github-starred/komodo
2
0
Fork 1
mirror of https://github.com/moghtech/komodo.git synced 2026-03-09 07:13:36 -05:00
Code Issues 258 Packages Projects Releases 10 Wiki Activity

[PR #512] [CLOSED] 1.17.6 #744

New Issue
Closed
opened 2025-10-31 15:20:38 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-10-31 15:20:38 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/moghtech/komodo/pull/512
Author: @mbecker20
Created: 5/13/2025
Status: Closed

Base: mainHead: 1.17.6

📝 Commits (10+)

📊 Changes

166 files changed (+3506 additions, -1809 deletions)

View changed files

📝 Cargo.lock (+77 -64)
📝 Cargo.toml (+13 -13)
📝 bin/binaries.Dockerfile (+6 -3)
📝 bin/core/Cargo.toml (+1 -1)
📝 bin/core/aio.Dockerfile (+1 -1)
📝 bin/core/src/alert/mod.rs (+9 -7)
📝 bin/core/src/alert/ntfy.rs (+12 -6)
📝 bin/core/src/api/execute/action.rs (+4 -3)
📝 bin/core/src/api/execute/alerter.rs (+2 -2)
📝 bin/core/src/api/execute/build.rs (+5 -4)
📝 bin/core/src/api/execute/deployment.rs (+3 -2)
📝 bin/core/src/api/execute/mod.rs (+2 -0)
📝 bin/core/src/api/execute/procedure.rs (+4 -3)
📝 bin/core/src/api/execute/repo.rs (+9 -8)
📝 bin/core/src/api/execute/server.rs (+43 -43)
📝 bin/core/src/api/execute/stack.rs (+7 -9)
📝 bin/core/src/api/execute/sync.rs (+6 -4)
📝 bin/core/src/api/read/action.rs (+17 -7)
📝 bin/core/src/api/read/alert.rs (+1 -1)
📝 bin/core/src/api/read/alerter.rs (+15 -6)

...and 80 more files

📄 Description

Changelog

🚨 This release moves official support to FerretDB v2. Users who deployed v1.17.5 or before using Postgres / Sqlite option are using FerretDB v1 and should eventually migrate using the FerretDB v2 Update Guide. Note that this is not a breaking change to Komodo itself, and users can update to 1.17.6 and continue to use FerretDB v1 if they wish.

🚨 Admins managing user permissions may need to modify the access rules to continue to access features. In particular, container logs, docker inspect on containers, and terminal access are now gated behind additional permission (for non admin users)

Specific Permissions

The main purpose of this release is to refine the access control / permissions system in Komodo. In 1.17.5 and before, access to resources was controlled only via access level (Read, Execute, Write). These levels provide access to the associated /read, /execute, and /write methods on resources, and it worked pretty well to provide RBAC.

Now with more potentially sensitive features, this is not quite enough to provide granular access control. To address this, specific permissions have been introduced in addition to Read, Execute, and Write levels.

  • Terminal: User can access the associated resource's terminal.
    • If given on a Server, this allows server level terminal access.
    • If given on a Stack or Deployment, this allows container exec terminal (even without Terminal on Server)
  • Attach: User can "attach" other resources to the resource.
    • If given on a Server, allows users to attach Stacks and Deployments
    • If given on a Builder, allows users to attach Builds
  • DockerInspect: User can "inspect" docker resources (like containers) on the Server
    • Access to this api will expose all container environments on the given server, and can easily lead to secrets being leaked.
  • DockerLogs: User can retrieve docker / docker compose logs on the associated resource.
    • Valid on Server, Stack, Deployment
    • For admins wanting this permission by default for all users with read permissions, see below on default user groups.
  • ProcessList: User can retrieve the full running process list on the Server

The above specific permissions are defined in a list alongside their level. This list is open for future expansion / and the associated implementations may be refined in future releases as well.

Default User Groups

Sometimes you will want to set a "baseline" set of permissions that all users will have on the Komodo instance. Previously this could only be done in very barebones way, by setting KOMODO_TRANSPARENT_MODE=true on the Komodo Core container. This would give all users a base level of "Read" on all resources.

In addition to the above permissions features, this release also adds an everyone mode to User Groups. If you enable this mode on a User Group, then all users will inherit those permissions as a base.

Misc.

  • UI: Fix the inline rename behavior when renaming multiple resources in a row.
  • Alerter: Ntfy endpoints now support configuring email. Note that you must also make sure SMTP is configured on the Ntfy server. By @FelixBreitweiser in #493

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/moghtech/komodo/pull/512 **Author:** [@mbecker20](https://github.com/mbecker20) **Created:** 5/13/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `1.17.6` --- ### 📝 Commits (10+) - [`766b559`](https://github.com/moghtech/komodo/commit/766b55911b0374db61a5bcbf4ef8998e35340657) ferretdb v2 now that they support arm64 - [`270804e`](https://github.com/moghtech/komodo/commit/270804eed4ec99fd31cc8a2821dd53b45d3ead53) remove ignored for sqlite - [`35aa8fd`](https://github.com/moghtech/komodo/commit/35aa8fd17ace80c2eba74433fd0abbc56c98ffe7) tweak - [`791138e`](https://github.com/moghtech/komodo/commit/791138e60257d8855886be49b1e0c04d12bc6e40) mongo copier - [`a29b355`](https://github.com/moghtech/komodo/commit/a29b3557dc0ef749d945dca2fc975b0737a736b3) 1.17.6 - [`de23d76`](https://github.com/moghtech/komodo/commit/de23d76407e4b8b588aed949b5cc3297094188cc) primary name is ferretdb option - [`379d24e`](https://github.com/moghtech/komodo/commit/379d24e5f3b8509e34d4388f5968899f43e345fb) give doc counts - [`09905d0`](https://github.com/moghtech/komodo/commit/09905d04fc4315ec1ac848a050b3de63fa166261) fmt - [`0530a47`](https://github.com/moghtech/komodo/commit/0530a47e7485ed9f67478056c099bcf5b9fa9883) print document count - [`789c611`](https://github.com/moghtech/komodo/commit/789c611657423d8739f394efe89b6fd32487fa4a) komodo util versioned seperately ### 📊 Changes **166 files changed** (+3506 additions, -1809 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+77 -64) 📝 `Cargo.toml` (+13 -13) 📝 `bin/binaries.Dockerfile` (+6 -3) 📝 `bin/core/Cargo.toml` (+1 -1) 📝 `bin/core/aio.Dockerfile` (+1 -1) 📝 `bin/core/src/alert/mod.rs` (+9 -7) 📝 `bin/core/src/alert/ntfy.rs` (+12 -6) 📝 `bin/core/src/api/execute/action.rs` (+4 -3) 📝 `bin/core/src/api/execute/alerter.rs` (+2 -2) 📝 `bin/core/src/api/execute/build.rs` (+5 -4) 📝 `bin/core/src/api/execute/deployment.rs` (+3 -2) 📝 `bin/core/src/api/execute/mod.rs` (+2 -0) 📝 `bin/core/src/api/execute/procedure.rs` (+4 -3) 📝 `bin/core/src/api/execute/repo.rs` (+9 -8) 📝 `bin/core/src/api/execute/server.rs` (+43 -43) 📝 `bin/core/src/api/execute/stack.rs` (+7 -9) 📝 `bin/core/src/api/execute/sync.rs` (+6 -4) 📝 `bin/core/src/api/read/action.rs` (+17 -7) 📝 `bin/core/src/api/read/alert.rs` (+1 -1) 📝 `bin/core/src/api/read/alerter.rs` (+15 -6) _...and 80 more files_ </details> ### 📄 Description # Changelog 🚨 This release moves **official support to FerretDB v2**. Users who deployed v1.17.5 or before using Postgres / Sqlite option are using FerretDB v1 and should eventually migrate using the [FerretDB v2 Update Guide](https://github.com/moghtech/komodo/blob/1.17.6/bin/util/docs/copy-database.md#ferretdb-v2-update-guide). Note that this is not a breaking change to Komodo itself, and users can update to 1.17.6 and continue to use FerretDB v1 if they wish. 🚨 Admins managing user permissions may need to modify the access rules to continue to access features. In particular, **container logs**, **`docker inspect`** on containers, and **terminal access** are now gated behind additional permission (for non admin users) ### Specific Permissions The main purpose of this release is to refine the access control / permissions system in Komodo. In 1.17.5 and before, access to resources was controlled only via access level (`Read`, `Execute`, `Write`). These levels provide access to the associated `/read`, `/execute`, and `/write` methods on resources, and it worked pretty well to provide RBAC. Now with more potentially sensitive features, this is not quite enough to provide granular access control. To address this, `specific` permissions have been introduced *in addition* to `Read`, `Execute`, and `Write` levels. - `Terminal`: User can access the associated resource's terminal. - If given on a `Server`, this allows server level terminal access. - If given on a `Stack` or `Deployment`, this allows container exec terminal (even without `Terminal` on `Server`) - `Attach`: User can "attach" *other resources* to the resource. - If given on a `Server`, allows users to attach `Stacks` and `Deployments` - If given on a `Builder`, allows users to attach `Builds` - `DockerInspect`: User can "inspect" docker resources (like containers) on the `Server` - Access to this api will expose all container environments on the given server, and can easily lead to secrets being leaked. - `DockerLogs`: User can retrieve docker / docker compose logs on the associated resource. - Valid on `Server`, `Stack`, `Deployment` - For admins wanting this permission by default for all users with read permissions, see below on default user groups. - `ProcessList`: User can retrieve the full running process list on the `Server` The above `specific` permissions are defined in a list alongside their `level`. This list is open for future expansion / and the associated implementations may be refined in future releases as well. ### Default User Groups Sometimes you will want to set a "baseline" set of permissions that all users will have on the Komodo instance. Previously this could only be done in very barebones way, by setting `KOMODO_TRANSPARENT_MODE=true` on the Komodo Core container. This would give all users a base level of "Read" on all resources. In addition to the above permissions features, this release also adds an `everyone` mode to User Groups. If you enable this mode on a User Group, then all users will inherit those permissions as a base. ### Misc. - **UI**: Fix the inline rename behavior when renaming multiple resources in a row. - **Alerter**: Ntfy endpoints now support configuring email. Note that you must also make sure SMTP is configured on the Ntfy server. By @FelixBreitweiser in #493 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2025-10-31 15:20:38 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
1.19.0
1.19.1
1.19.2
1.19.3
1.19.4
bug
documentation
done
enhancement
help wanted
info
pull-request
Mirrored from GitHub Pull Request
 question
security
seen 👀
setup
thinking 🤔
ui
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/komodo#744
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?