From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <d.csapak@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by lists.proxmox.com (Postfix) with ESMTPS id 2B93B8B6EA
for <pve-devel@lists.proxmox.com>; Mon, 24 Oct 2022 12:03:08 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 1434918151
for <pve-devel@lists.proxmox.com>; Mon, 24 Oct 2022 12:03:08 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
[94.136.29.106])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits))
(No client certificate requested)
by firstgate.proxmox.com (Proxmox) with ESMTPS
for <pve-devel@lists.proxmox.com>; Mon, 24 Oct 2022 12:03:07 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 0764F44B58
for <pve-devel@lists.proxmox.com>; Mon, 24 Oct 2022 12:03:07 +0200 (CEST)
From: Dominik Csapak <d.csapak@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Mon, 24 Oct 2022 12:03:06 +0200
Message-Id: <20221024100306.2005236-1-d.csapak@proxmox.com>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.067 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
Subject: [pve-devel] [RFC PATCH acces-control] auth: require quorum for
ticket creaton of non PAM users
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>,
<mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 10:03:08 -0000
when the current node is not part of the quorate partition, there is no
way to determine if a user has the proper permissions or is even still
enabled, so we should prevent ticket creation for these users.
The only exception we should make is for node-local users (PAM realm),
since there is a good chance those can login via console/ssh anyway, and
it's good to have at least some users as fallback that can still login
in such cases.
This does not prevent users from using already created tickets, nor does
it prevent api calls with api tokens (that would have to be done
elsewhere).
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
sending as rfc, since i'm not completely sure that's what @Wolfgang and
@Thomas had in mind in [0], since it's not touching api tokens at all
0: https://lists.proxmox.com/pipermail/pve-devel/2022-October/054406.html
src/PVE/API2/AccessControl.pm | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index 104e7e3..eb0543a 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -143,6 +143,9 @@ my sub verify_auth : prototype($$$$$$$) {
my sub create_ticket_do : prototype($$$$$$) {
my ($rpcenv, $username, $pw_or_ticket, $otp, $new_format, $tfa_challenge) = @_;
+ # allow login for non-quorate clusters only for node-local @pam users
+ PVE::Cluster::check_cfs_quorum() if $username !~ m/\@pam$/;
+
die "TFA response should be in 'password', not 'otp' when 'tfa-challenge' is set\n"
if defined($otp) && defined($tfa_challenge);
--
2.30.2