all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH v2 manager] pve6to7: add check for pool permissions
@ 2021-06-16 12:16 Lorenz Stechauner
  2021-06-16 12:45 ` Fabian Grünbichler
  0 siblings, 1 reply; 3+ messages in thread
From: Lorenz Stechauner @ 2021-06-16 12:16 UTC (permalink / raw)
  To: pve-devel

the two checks make sure that:
* no user defined role 'PVEPoolUser' exists
* the user gets a hint for roles only containing Pool.Allocate and
    not Pool.Audit

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
changes to v1:
* rebased on master

 PVE/CLI/pve6to7.pm | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/PVE/CLI/pve6to7.pm b/PVE/CLI/pve6to7.pm
index 90f92a55..b391d006 100644
--- a/PVE/CLI/pve6to7.pm
+++ b/PVE/CLI/pve6to7.pm
@@ -9,6 +9,7 @@ use PVE::API2::LXC;
 use PVE::API2::Qemu;
 use PVE::API2::Certificates;
 
+use PVE::AccessControl;
 use PVE::Ceph::Tools;
 use PVE::Cluster;
 use PVE::Corosync;
@@ -693,6 +694,30 @@ sub check_misc {
 
     check_backup_retention_settings();
     check_cifs_credential_location();
+
+    log_info("Check custom roles");
+    my $usercfg = PVE::Cluster::cfs_read_file("user.cfg");
+    foreach my $role (sort keys %{$usercfg->{roles}}) {
+	if (PVE::AccessControl::role_is_special($role)) {
+	    next;
+	}
+
+	if ($role eq "PVEPoolUser") {
+	    # the user created a custom role named PVEPoolUser
+	    log_fail("Custom role '$role' has a restricted name - a built-in role 'PVEPoolUser' will be available with the upgrade");
+	} else {
+	    log_pass("Custom role '$role' has no restricted name");
+	}
+
+	my $perms = $usercfg->{roles}->{$role};
+	if ($perms->{'Pool.Allocate'} && $perms->{'Pool.Audit'}) {
+	    log_pass("Custom role '$role' contains updated pool permissions");
+	} elsif ($perms->{'Pool.Allocate'}) {
+	    log_warn("Custom role '$role' contains permission 'Pool.Allocate' - to ensure same behavior add 'Pool.Audit' to this role after the upgrade");
+	} else {
+	    log_pass("Custom role '$role' contains no permissions that need to be updated");
+	}
+    }
 }
 
 __PACKAGE__->register_method ({
-- 
2.20.1





^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-06-16 12:50 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-16 12:16 [pve-devel] [PATCH v2 manager] pve6to7: add check for pool permissions Lorenz Stechauner
2021-06-16 12:45 ` Fabian Grünbichler
2021-06-16 12:49   ` Thomas Lamprecht

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal