From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH manager 1/2] api: nodes: allow usage of query url metadata with Sys.AccessNetwork
Date: Mon, 19 Feb 2024 18:14:11 +0100 [thread overview]
Message-ID: <20240219171412.1576651-4-t.lamprecht@proxmox.com> (raw)
In-Reply-To: <20240219171412.1576651-1-t.lamprecht@proxmox.com>
This was restricted to Sys.Modify + Sys.Audit on the whole cluster to
ensure that only trusted users get access to a method that can scan
the (local) network from the POV of the Proxmox VE node, even if only
through HTTP HEAD requests.
Nowadays there's enough user interest [0] to warrant a separate access
privilege to cover such an use case, and while most of the requests
are for the download-url storage API endpoint, this method here is not
only a bit less powerful than the storage one, it's rather tied to the
latter anyway (e.g. for querying the metadata of a URL in the web UI
for name and size before downloading it to a storage).
For backwards compatibility keep the old check and add the new
privilege as alternative to fulfill the permission requirements of
that API endpoint.
[0]: https://bugzilla.proxmox.com/show_bug.cgi?id=5254
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
PVE/API2/Nodes.pm | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm
index 3619190d..5d9bae39 100644
--- a/PVE/API2/Nodes.pm
+++ b/PVE/API2/Nodes.pm
@@ -1581,7 +1581,10 @@ __PACKAGE__->register_method({
description => "Query metadata of an URL: file size, file name and mime type.",
proxyto => 'node',
permissions => {
- check => ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ check => ['or',
+ ['perm', '/', [ 'Sys.Audit', 'Sys.Modify' ]],
+ ['perm', '/nodes/{node}', [ 'Sys.AccessNetwork' ]],
+ ],
},
parameters => {
additionalProperties => 0,
--
2.39.2
next prev parent reply other threads:[~2024-02-19 17:14 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-19 17:14 [pve-devel] fix #5254: add separate Sys.AccessNetwork privilege Thomas Lamprecht
2024-02-19 17:14 ` [pve-devel] [PATCH access-control] add " Thomas Lamprecht
2024-02-19 17:14 ` [pve-devel] [PATCH storage:] fix #5254: api: allow usage of download-url with Sys.AccessNetwork Thomas Lamprecht
2024-02-19 17:14 ` Thomas Lamprecht [this message]
2024-02-19 17:14 ` [pve-devel] [PATCH manager 2/2] ui: storage: enable download-url button with Sys.AccessNetwork capability Thomas Lamprecht
2024-02-19 17:25 ` [pve-devel] fix #5254: add separate Sys.AccessNetwork privilege Thomas Lamprecht
2024-02-20 15:51 ` Hannes Dürr
2024-02-23 10:21 ` Fabian Grünbichler
2024-02-28 14:55 ` [pve-devel] applied-series: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240219171412.1576651-4-t.lamprecht@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.