API: Add /api/kea/service/* and /api/kea/leases4/* endpoints to System Privileges

[kuya1284]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [ x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [x ] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

I'm unable to access the /api/kea/service/* and /api/kea/leases4/* endpoints with a service account unless I grant the account access using the /* privilege. It appears that the only Kea privilege that I can grant is /api/kea/dhcpv4. Granting /* provides too much access and I'd like to be able to restrict that access.

Describe the solution you like

Could you please add both /api/kea/service/* and /api/kea/leases4/* to the System Privileges so that I can restrict the service account's access to specific API endpoints?

A clear and concise description of what you want to happen.

I would like to make API calls to the Kea endpoints without having to give the account too much access by granting the All pages System Privilege.

Describe alternatives you considered

N/A

A clear and concise description of any alternative solutions or features you considered.

N/A

Add any other context or screenshots about the feature request here or links to relevant forum thread or similar

[fichtner]

@kuya1284 thanks for the report, a0fa83a should do the trick for you:

# opnsense-patch a0fa83a

@AdSchellevis is this correct? what happens with service endpoint when Kea v6 is added?

[AdSchellevis]

@fichtner it might have been better if I only added a "kea" acl here, but technically it's not possible to start one or the other anyway when adding v6. I would add the same change as you just did.

[fichtner]

ok so when @kuya1284 confirms this goes right to stable/24.7 :)

[kuya1284]

@fichtner that looks like that would resolve my issue. However, @AdSchellevis brought up a really good point. I just took another look at how the ISC endpoints are setup and it seems there might be some inconsistencies with the Kea endpoints.

Currently, the Kea endpoints are:

• /api/kea/ctrl_agent/*
• /api/kea/leases4/*
• /api/kea/dhcpv4/*
• /api/kea/service/*

The ISC endpoints are:

• /api/dhcpv4/leases/*
• /api/dhcpv4/service/*
• /api/dhcpv6/leases/*
• /api/dhcpv6/service/*

It makes me wonder if Kea should be designed similarly? For example:

• /api/kea/dhcpv4/ctrl_agent/*
• /api/kea/dhcpv4/leases/*
• /api/kea/dhcpv4/service/*
• /api/kea/dhcpv6/ctrl_agent/*
• /api/kea/dhcpv6/leases/*
• /api/kea/dhcpv6/service/*

Or maybe like this instead:

• /api/kea/ctrl_agent/*
• /api/kea/service/*
• /api/kea/dhcpv4/*
• /api/kea/dhcpv6/*

Of course, that would require the routes to be redesigned and I don't know anything about the future plans of Kea DHCPv6. So maybe the above won't work, especially with how the Control Agent and Service will be handled.

In any event, your proposed change in https://github.com/opnsense/core/commit/a0fa83adbb5bead181b1a08b3188412ddb9bac4d would definitely help resolve the issue. Thank you so much for your quick attention to this.

[AdSchellevis]

isc dhcp 4 and 6 are different (isolated) services, which can be started separately, kea is a single package which shares daemons underneath. I should have called page-dhcp-kea-v4 page-dhcp-kea for consistency, but changing that now doesn't help anyone.

[kuya1284]

Thank you so much for the fix. You guys rock!