joyent/node-triton#120 Ensure 'triton inst ls' only requires ListMachines RBAC access

2016-06-08 14:44:46 -07:00 · 2016-06-08 14:44:46 -07:00 · 0932365d46
commit 0932365d46
parent fabe0a0841
3 changed files with 24 additions and 2 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -7,6 +7,11 @@ Known issues:

 ## 4.13.0 (not yet released)

+- [#120] Don't fail `triton instance list` if the retrieval of *image* info
+  (retrieved to get image name and version, as a bonus) fails with an
+  authorization error -- in case it is an RBAC failure where a subuser can
+  ListMachines, but not ListImages.
+
 - [#113] *Usage* errors now some "error help", including option or command
  synopses. Some examples (the new thing is marked with `>`):

--- a/TODO.txt
+++ b/TODO.txt
@ -1,3 +1,8 @@
+- The 'shortcut' commands use `handlerFromSubcmd(...).dispatch`. That
+  doesn't run the subcmd class's `.init()` method. node-cmdln should provide
+  a way to do this. ... basically want to call the *main()* but with preparsed
+  options. Perhaps the init/fini should move into dispatch?
+
 triton create affinity support for tag matching, globs, regex

 note in README that full UUIDs is much faster in the API
--- a/lib/do_instance/do_list.js
+++ b/lib/do_instance/do_list.js
@ -47,6 +47,7 @@ function do_list(subcmd, opts, args, callback) {
        this.do_help('help', {}, [subcmd], callback);
        return;
    }
+    var log = self.top.log;

    var columns = columnsDefault;
    if (opts.o) {
@ -70,7 +71,7 @@ function do_list(subcmd, opts, args, callback) {
    }


-    var imgs;
+    var imgs = [];
    var insts;

    vasync.parallel({funcs: [
@ -78,7 +79,18 @@ function do_list(subcmd, opts, args, callback) {
            self.top.tritonapi.listImages({useCache: true},
                    function (err, _imgs) {
                if (err) {
-                    next(err);
+                    if (err.statusCode === 403) {
+                        /*
+                         * This could be a authorization error due to RBAC
+                         * on a subuser. We don't want to fail `triton inst ls`
+                         * if the subuser can ListMachines, but not ListImages.
+                         */
+                        log.debug(err,
+                            'authz error listing images for insts info');
+                        next();
+                    } else {
+                        next(err);
+                    }
                } else {
                    imgs = _imgs;
                    next();