* [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission
@ 2021-05-20 10:03 Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw)
To: pve-devel
Note: compat breaking changes for Pool.Allocate permission
changes to v1:
* docs patch now included
* `/cluster/resources` now returns pool infomation for guests only if
the requesting user has the Pool.Audit permission on the pool
pve-manager:
Lorenz Stechauner (1):
fix #3402: add Pool.Audit permission
PVE/API2/Cluster.pm | 7 ++++++-
PVE/API2/Pool.pm | 7 ++++---
PVE/API2/VZDump.pm | 2 +-
3 files changed, 11 insertions(+), 5 deletions(-)
pve-access-control:
Lorenz Stechauner (1):
fix #3402: add Pool.Audit permission
README | 1 +
src/PVE/AccessControl.pm | 8 ++++++--
2 files changed, 7 insertions(+), 2 deletions(-)
pve-docs:
Lorenz Stechauner (1):
fix #3202: pveum: add Pool.Audit permission
pveum.adoc | 1 +
1 file changed, 1 insertion(+)
--
2.20.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH v2 access-control 1/1] fix #3402: add Pool.Audit permission
2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
@ 2021-05-20 10:03 ` Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 manager " Lorenz Stechauner
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw)
To: pve-devel
add new user "PVEPoolUser" and add Pool.Audit to "PVEAuditor".
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
README | 1 +
src/PVE/AccessControl.pm | 8 ++++++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/README b/README
index 33643a6..c706e5b 100644
--- a/README
+++ b/README
@@ -96,6 +96,7 @@ privileges:
VM.Config.Options: modify any other VM configuration
Pool.Allocate: create/remove/modify a pool.
+ Pool.Audit: view a pool
Datastore.Allocate: create/remove/modify a data store.
Datastore.AllocateSpace: allocate space on a datastore
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index f7d4e78..888875e 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -819,8 +819,12 @@ my $privgroups = {
admin => [
'Pool.Allocate', # create/delete pools
],
- user => [],
- audit => [],
+ user => [
+ 'Pool.Audit',
+ ],
+ audit => [
+ 'Pool.Audit',
+ ],
},
};
--
2.20.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH v2 manager 1/1] fix #3402: add Pool.Audit permission
2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner
@ 2021-05-20 10:03 ` Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: " Lorenz Stechauner
2021-06-01 9:06 ` [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: " Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw)
To: pve-devel
everywhere where Pool.Allocate was unnecessarly used it was replaced
with Pool.Audit.
`/cluster/resources` now returns pool infomation for guests only if
the requesting user has the Pool.Audit permission on the pool.
`/pool/` now returns only pools where the requesting user has the
Pool.Audit permission.
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
PVE/API2/Cluster.pm | 7 ++++++-
PVE/API2/Pool.pm | 7 ++++---
PVE/API2/VZDump.pm | 2 +-
3 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
index ab5b28a1..641b846d 100644
--- a/PVE/API2/Cluster.pm
+++ b/PVE/API2/Cluster.pm
@@ -332,7 +332,7 @@ __PACKAGE__->register_method({
for my $pool (sort keys %{$usercfg->{pools}}) {
my $d = $usercfg->{pools}->{$pool};
- next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
+ next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
my $entry = {
id => "/pool/$pool",
@@ -384,6 +384,11 @@ __PACKAGE__->register_method({
$entry->{lock} = $lock;
}
+ if (defined($entry->{pool}) &&
+ !$rpcenv->check($authuser, "/pool/$entry->{pool}", ['Pool.Audit'], 1)) {
+ delete $entry->{pool};
+ }
+
# get ha status
if (my $hatype = $hatypemap->{$entry->{type}}) {
my $sid = "$hatype:$vmid";
diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm
index 43375b02..28c29ab8 100644
--- a/PVE/API2/Pool.pm
+++ b/PVE/API2/Pool.pm
@@ -22,7 +22,7 @@ __PACKAGE__->register_method ({
method => 'GET',
description => "Pool index.",
permissions => {
- description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.",
+ description => "List all pools where you have Pool.Audit permissions on /pool/<pool>.",
user => 'all',
},
parameters => {
@@ -47,9 +47,10 @@ __PACKAGE__->register_method ({
my $usercfg = $rpcenv->{user_cfg};
+
my $res = [];
for my $pool (sort keys %{$usercfg->{pools}}) {
- next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1);
+ next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
my $entry = { poolid => $pool };
my $pool_config = $usercfg->{pools}->{$pool};
@@ -200,7 +201,7 @@ __PACKAGE__->register_method ({
path => '{poolid}',
method => 'GET',
permissions => {
- check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
+ check => ['perm', '/pool/{poolid}', ['Pool.Audit']],
},
description => "Get pool configuration.",
parameters => {
diff --git a/PVE/API2/VZDump.pm b/PVE/API2/VZDump.pm
index 82dd9415..4093d82f 100644
--- a/PVE/API2/VZDump.pm
+++ b/PVE/API2/VZDump.pm
@@ -226,7 +226,7 @@ __PACKAGE__->register_method ({
my $pool = $res->{pool};
if (defined($pool) &&
- !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Allocate'], 1)) {
+ !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Audit'], 1)) {
delete $res->{pool};
}
--
2.20.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: add Pool.Audit permission
2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 manager " Lorenz Stechauner
@ 2021-05-20 10:03 ` Lorenz Stechauner
2021-06-01 9:06 ` [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: " Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
pveum.adoc | 1 +
1 file changed, 1 insertion(+)
diff --git a/pveum.adoc b/pveum.adoc
index 7120db7..71ea7ef 100644
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -449,6 +449,7 @@ Node / System related privileges::
* `Sys.Modify`: create/remove/modify node network parameters
* `Group.Allocate`: create/remove/modify groups
* `Pool.Allocate`: create/remove/modify a pool
+* `Pool.Audit`: view a pool
* `Realm.Allocate`: create/remove/modify authentication realms
* `Realm.AllocateUser`: assign user to a realm
* `User.Modify`: create/remove/modify user access and details.
--
2.20.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission
2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
` (2 preceding siblings ...)
2021-05-20 10:03 ` [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: " Lorenz Stechauner
@ 2021-06-01 9:06 ` Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2021-06-01 9:06 UTC (permalink / raw)
To: Proxmox VE development discussion
On May 20, 2021 12:03 pm, Lorenz Stechauner wrote:
> Note: compat breaking changes for Pool.Allocate permission
>
> changes to v1:
> * docs patch now included
> * `/cluster/resources` now returns pool infomation for guests only if
> the requesting user has the Pool.Audit permission on the pool
>
>
>
> pve-manager:
>
> Lorenz Stechauner (1):
> fix #3402: add Pool.Audit permission
>
> PVE/API2/Cluster.pm | 7 ++++++-
> PVE/API2/Pool.pm | 7 ++++---
> PVE/API2/VZDump.pm | 2 +-
> 3 files changed, 11 insertions(+), 5 deletions(-)
>
>
> pve-access-control:
>
> Lorenz Stechauner (1):
> fix #3402: add Pool.Audit permission
>
> README | 1 +
> src/PVE/AccessControl.pm | 8 ++++++--
> 2 files changed, 7 insertions(+), 2 deletions(-)
>
>
> pve-docs:
>
> Lorenz Stechauner (1):
> fix #3202: pveum: add Pool.Audit permission
>
> pveum.adoc | 1 +
> 1 file changed, 1 insertion(+)
> --
> 2.20.1
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-06-01 9:06 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 manager " Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: " Lorenz Stechauner
2021-06-01 9:06 ` [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: " Fabian Grünbichler
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal