* [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission
@ 2021-05-20 10:03 Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw)
To: pve-devel
Note: compat breaking changes for Pool.Allocate permission
changes to v1:
* docs patch now included
* `/cluster/resources` now returns pool infomation for guests only if
the requesting user has the Pool.Audit permission on the pool
pve-manager:
Lorenz Stechauner (1):
fix #3402: add Pool.Audit permission
PVE/API2/Cluster.pm | 7 ++++++-
PVE/API2/Pool.pm | 7 ++++---
PVE/API2/VZDump.pm | 2 +-
3 files changed, 11 insertions(+), 5 deletions(-)
pve-access-control:
Lorenz Stechauner (1):
fix #3402: add Pool.Audit permission
README | 1 +
src/PVE/AccessControl.pm | 8 ++++++--
2 files changed, 7 insertions(+), 2 deletions(-)
pve-docs:
Lorenz Stechauner (1):
fix #3202: pveum: add Pool.Audit permission
pveum.adoc | 1 +
1 file changed, 1 insertion(+)
--
2.20.1
^ permalink raw reply [flat|nested] 5+ messages in thread* [pve-devel] [PATCH v2 access-control 1/1] fix #3402: add Pool.Audit permission 2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner @ 2021-05-20 10:03 ` Lorenz Stechauner 2021-05-20 10:03 ` [pve-devel] [PATCH v2 manager " Lorenz Stechauner ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw) To: pve-devel add new user "PVEPoolUser" and add Pool.Audit to "PVEAuditor". Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com> --- README | 1 + src/PVE/AccessControl.pm | 8 ++++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/README b/README index 33643a6..c706e5b 100644 --- a/README +++ b/README @@ -96,6 +96,7 @@ privileges: VM.Config.Options: modify any other VM configuration Pool.Allocate: create/remove/modify a pool. + Pool.Audit: view a pool Datastore.Allocate: create/remove/modify a data store. Datastore.AllocateSpace: allocate space on a datastore diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm index f7d4e78..888875e 100644 --- a/src/PVE/AccessControl.pm +++ b/src/PVE/AccessControl.pm @@ -819,8 +819,12 @@ my $privgroups = { admin => [ 'Pool.Allocate', # create/delete pools ], - user => [], - audit => [], + user => [ + 'Pool.Audit', + ], + audit => [ + 'Pool.Audit', + ], }, }; -- 2.20.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH v2 manager 1/1] fix #3402: add Pool.Audit permission 2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner 2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner @ 2021-05-20 10:03 ` Lorenz Stechauner 2021-05-20 10:03 ` [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: " Lorenz Stechauner 2021-06-01 9:06 ` [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: " Fabian Grünbichler 3 siblings, 0 replies; 5+ messages in thread From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw) To: pve-devel everywhere where Pool.Allocate was unnecessarly used it was replaced with Pool.Audit. `/cluster/resources` now returns pool infomation for guests only if the requesting user has the Pool.Audit permission on the pool. `/pool/` now returns only pools where the requesting user has the Pool.Audit permission. Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com> --- PVE/API2/Cluster.pm | 7 ++++++- PVE/API2/Pool.pm | 7 ++++--- PVE/API2/VZDump.pm | 2 +- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm index ab5b28a1..641b846d 100644 --- a/PVE/API2/Cluster.pm +++ b/PVE/API2/Cluster.pm @@ -332,7 +332,7 @@ __PACKAGE__->register_method({ for my $pool (sort keys %{$usercfg->{pools}}) { my $d = $usercfg->{pools}->{$pool}; - next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1); + next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1); my $entry = { id => "/pool/$pool", @@ -384,6 +384,11 @@ __PACKAGE__->register_method({ $entry->{lock} = $lock; } + if (defined($entry->{pool}) && + !$rpcenv->check($authuser, "/pool/$entry->{pool}", ['Pool.Audit'], 1)) { + delete $entry->{pool}; + } + # get ha status if (my $hatype = $hatypemap->{$entry->{type}}) { my $sid = "$hatype:$vmid"; diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm index 43375b02..28c29ab8 100644 --- a/PVE/API2/Pool.pm +++ b/PVE/API2/Pool.pm @@ -22,7 +22,7 @@ __PACKAGE__->register_method ({ method => 'GET', description => "Pool index.", permissions => { - description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.", + description => "List all pools where you have Pool.Audit permissions on /pool/<pool>.", user => 'all', }, parameters => { @@ -47,9 +47,10 @@ __PACKAGE__->register_method ({ my $usercfg = $rpcenv->{user_cfg}; + my $res = []; for my $pool (sort keys %{$usercfg->{pools}}) { - next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1); + next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1); my $entry = { poolid => $pool }; my $pool_config = $usercfg->{pools}->{$pool}; @@ -200,7 +201,7 @@ __PACKAGE__->register_method ({ path => '{poolid}', method => 'GET', permissions => { - check => ['perm', '/pool/{poolid}', ['Pool.Allocate']], + check => ['perm', '/pool/{poolid}', ['Pool.Audit']], }, description => "Get pool configuration.", parameters => { diff --git a/PVE/API2/VZDump.pm b/PVE/API2/VZDump.pm index 82dd9415..4093d82f 100644 --- a/PVE/API2/VZDump.pm +++ b/PVE/API2/VZDump.pm @@ -226,7 +226,7 @@ __PACKAGE__->register_method ({ my $pool = $res->{pool}; if (defined($pool) && - !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Allocate'], 1)) { + !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Audit'], 1)) { delete $res->{pool}; } -- 2.20.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: add Pool.Audit permission 2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner 2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner 2021-05-20 10:03 ` [pve-devel] [PATCH v2 manager " Lorenz Stechauner @ 2021-05-20 10:03 ` Lorenz Stechauner 2021-06-01 9:06 ` [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: " Fabian Grünbichler 3 siblings, 0 replies; 5+ messages in thread From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw) To: pve-devel Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com> --- pveum.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/pveum.adoc b/pveum.adoc index 7120db7..71ea7ef 100644 --- a/pveum.adoc +++ b/pveum.adoc @@ -449,6 +449,7 @@ Node / System related privileges:: * `Sys.Modify`: create/remove/modify node network parameters * `Group.Allocate`: create/remove/modify groups * `Pool.Allocate`: create/remove/modify a pool +* `Pool.Audit`: view a pool * `Realm.Allocate`: create/remove/modify authentication realms * `Realm.AllocateUser`: assign user to a realm * `User.Modify`: create/remove/modify user access and details. -- 2.20.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission 2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner ` (2 preceding siblings ...) 2021-05-20 10:03 ` [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: " Lorenz Stechauner @ 2021-06-01 9:06 ` Fabian Grünbichler 3 siblings, 0 replies; 5+ messages in thread From: Fabian Grünbichler @ 2021-06-01 9:06 UTC (permalink / raw) To: Proxmox VE development discussion On May 20, 2021 12:03 pm, Lorenz Stechauner wrote: > Note: compat breaking changes for Pool.Allocate permission > > changes to v1: > * docs patch now included > * `/cluster/resources` now returns pool infomation for guests only if > the requesting user has the Pool.Audit permission on the pool > > > > pve-manager: > > Lorenz Stechauner (1): > fix #3402: add Pool.Audit permission > > PVE/API2/Cluster.pm | 7 ++++++- > PVE/API2/Pool.pm | 7 ++++--- > PVE/API2/VZDump.pm | 2 +- > 3 files changed, 11 insertions(+), 5 deletions(-) > > > pve-access-control: > > Lorenz Stechauner (1): > fix #3402: add Pool.Audit permission > > README | 1 + > src/PVE/AccessControl.pm | 8 ++++++-- > 2 files changed, 7 insertions(+), 2 deletions(-) > > > pve-docs: > > Lorenz Stechauner (1): > fix #3202: pveum: add Pool.Audit permission > > pveum.adoc | 1 + > 1 file changed, 1 insertion(+) > -- > 2.20.1 > > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-06-01 9:06 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner 2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner 2021-05-20 10:03 ` [pve-devel] [PATCH v2 manager " Lorenz Stechauner 2021-05-20 10:03 ` [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: " Lorenz Stechauner 2021-06-01 9:06 ` [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: " Fabian Grünbichler
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.