[pve-devel] [PATCH access-control/manager/docs 0/9] close #2809: replication: add dedicated VM.Replicate privilege

[pve-devel] [PATCH access-control/manager/docs 0/9] close #2809: replication: add dedicated VM.Replicate privilege

[Fiona Ebner]

Currently, guest replication is guarded with Datastore.Allocate on
'/storage', which is rather surprising. One could require
Datastore.AllocateSpace on all involved storages, but having a
dedicated privilege like for other VM operations like migration and
snapshot seems to be more natural.

Manager patches 2/9 to 7/9 can be applied independently.

New manager depends on new access-control.

access-control:

Fiona Ebner (1):
  add VM.Replicate privilege

 src/PVE/AccessControl.pm | 1 +
 src/test/perm-test1.pl   | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)


manager:

Fiona Ebner (7):
  api: replication: code style: order module imports
  api: replication: add missing module imports
  api: replication config: code style: order module imports
  api: replication config: add missing module imports
  api: replication config: remove dead code
  api: replication: fix usages of RPCEnvironment check method
  close #2809: api: replication: use VM.Replicate privilege

 PVE/API2/Replication.pm       | 38 ++++++++++++++++++-------------
 PVE/API2/ReplicationConfig.pm | 42 ++++++++++++++++++++++++++---------
 2 files changed, 54 insertions(+), 26 deletions(-)


docs:

Fiona Ebner (1):
  user management: privileges: document VM.Replicate privilege

 pveum.adoc | 1 +
 1 file changed, 1 insertion(+)


Summary over all repositories:
  5 files changed, 60 insertions(+), 30 deletions(-)

-- 
Generated by git-murpp 0.5.0


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH access-control 1/9] add VM.Replicate privilege

[Fiona Ebner]

Currently, guest replication is guarded with Datastore.Allocate on
'/storage', which is rather surprising. One could require
Datastore.AllocateSpace on all involved storages, but having a
dedicated privilege like for other VM operations like migration and
snapshot seems to be more natural.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/AccessControl.pm | 1 +
 src/test/perm-test1.pl   | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index e48e647..6c5a13f 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -1061,6 +1061,7 @@ my $privgroups = {
             'VM.Clone',
             'VM.GuestAgent.Unrestricted',
             'VM.Migrate',
+            'VM.Replicate',
             'VM.Snapshot',
             'VM.Snapshot.Rollback',
         ],
diff --git a/src/test/perm-test1.pl b/src/test/perm-test1.pl
index 50b46e2..d323447 100755
--- a/src/test/perm-test1.pl
+++ b/src/test/perm-test1.pl
@@ -66,8 +66,8 @@ check_permission(
         . 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
         . 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
         . 'VM.Console,VM.GuestAgent.Audit,VM.GuestAgent.FileRead,VM.GuestAgent.FileSystemMgmt,'
-        . 'VM.GuestAgent.FileWrite,VM.GuestAgent.Unrestricted,VM.Migrate,VM.PowerMgmt,VM.Snapshot,'
-        . 'VM.Snapshot.Rollback',
+        . 'VM.GuestAgent.FileWrite,VM.GuestAgent.Unrestricted,VM.Migrate,VM.PowerMgmt,VM.Replicate,'
+        . 'VM.Snapshot,VM.Snapshot.Rollback',
 );
 # Administrator -> Permissions.Modify!
 check_permission(
@@ -86,8 +86,8 @@ check_permission(
         . 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
         . 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
         . 'VM.Console,VM.GuestAgent.Audit,VM.GuestAgent.FileRead,VM.GuestAgent.FileSystemMgmt,'
-        . 'VM.GuestAgent.FileWrite,VM.GuestAgent.Unrestricted,VM.Migrate,VM.PowerMgmt,VM.Snapshot,'
-        . 'VM.Snapshot.Rollback',
+        . 'VM.GuestAgent.FileWrite,VM.GuestAgent.Unrestricted,VM.Migrate,VM.PowerMgmt,VM.Replicate,'
+        . 'VM.Snapshot,VM.Snapshot.Rollback',
 );
 
 check_roles('max@pve', '/vms/200', 'storage_manager');
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 2/9] api: replication: code style: order module imports

[Fiona Ebner]

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 PVE/API2/Replication.pm | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/PVE/API2/Replication.pm b/PVE/API2/Replication.pm
index 4d45ff84..f4eafcf0 100644
--- a/PVE/API2/Replication.pm
+++ b/PVE/API2/Replication.pm
@@ -3,21 +3,19 @@ package PVE::API2::Replication;
 use warnings;
 use strict;
 
-use PVE::JSONSchema qw(get_standard_option);
-use PVE::RPCEnvironment;
 use PVE::Format qw(render_timestamp);
-use PVE::ProcFSTools;
-
-use PVE::ReplicationConfig;
-use PVE::ReplicationState;
-use PVE::Replication;
-use PVE::QemuConfig;
-use PVE::QemuServer;
+use PVE::JSONSchema qw(get_standard_option);
 use PVE::LXC::Config;
 use PVE::LXC;
 use PVE::Notify;
-
+use PVE::ProcFSTools;
+use PVE::QemuConfig;
+use PVE::QemuServer;
+use PVE::ReplicationConfig;
+use PVE::ReplicationState;
+use PVE::Replication;
 use PVE::RESTHandler;
+use PVE::RPCEnvironment;
 
 use base qw(PVE::RESTHandler);
 
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 3/9] api: replication: add missing module imports

[Fiona Ebner]

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 PVE/API2/Replication.pm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/PVE/API2/Replication.pm b/PVE/API2/Replication.pm
index f4eafcf0..7d048f53 100644
--- a/PVE/API2/Replication.pm
+++ b/PVE/API2/Replication.pm
@@ -3,7 +3,10 @@ package PVE::API2::Replication;
 use warnings;
 use strict;
 
+use PVE::Cluster;
+use PVE::Exception qw(raise_perm_exc);
 use PVE::Format qw(render_timestamp);
+use PVE::INotify;
 use PVE::JSONSchema qw(get_standard_option);
 use PVE::LXC::Config;
 use PVE::LXC;
@@ -16,6 +19,7 @@ use PVE::ReplicationState;
 use PVE::Replication;
 use PVE::RESTHandler;
 use PVE::RPCEnvironment;
+use PVE::Tools;
 
 use base qw(PVE::RESTHandler);
 
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 4/9] api: replication config: code style: order module imports

[Fiona Ebner]

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 PVE/API2/ReplicationConfig.pm | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/PVE/API2/ReplicationConfig.pm b/PVE/API2/ReplicationConfig.pm
index d8732a76..26730688 100644
--- a/PVE/API2/ReplicationConfig.pm
+++ b/PVE/API2/ReplicationConfig.pm
@@ -3,14 +3,13 @@ package PVE::API2::ReplicationConfig;
 use warnings;
 use strict;
 
-use PVE::Tools qw(extract_param);
+use PVE::Cluster;
 use PVE::Exception qw(raise_perm_exc raise_param_exc);
 use PVE::JSONSchema qw(get_standard_option);
-use PVE::RPCEnvironment;
 use PVE::ReplicationConfig;
-use PVE::Cluster;
-
 use PVE::RESTHandler;
+use PVE::RPCEnvironment;
+use PVE::Tools qw(extract_param);
 
 use base qw(PVE::RESTHandler);
 
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 5/9] api: replication config: add missing module imports

[Fiona Ebner]

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 PVE/API2/ReplicationConfig.pm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/PVE/API2/ReplicationConfig.pm b/PVE/API2/ReplicationConfig.pm
index 26730688..34d519c8 100644
--- a/PVE/API2/ReplicationConfig.pm
+++ b/PVE/API2/ReplicationConfig.pm
@@ -9,8 +9,12 @@ use PVE::JSONSchema qw(get_standard_option);
 use PVE::ReplicationConfig;
 use PVE::RESTHandler;
 use PVE::RPCEnvironment;
+use PVE::SectionConfig;
+use PVE::Storage;
 use PVE::Tools qw(extract_param);
 
+use PVE::API2::Replication;
+
 use base qw(PVE::RESTHandler);
 
 __PACKAGE__->register_method({
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 6/9] api: replication config: remove dead code

[Fiona Ebner]

The RPCEnvironment's check() method is used without $noerr, so it will
already fail and raise the proper permission exception when the
privilege is missing.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 PVE/API2/ReplicationConfig.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/PVE/API2/ReplicationConfig.pm b/PVE/API2/ReplicationConfig.pm
index 34d519c8..1c6ac765 100644
--- a/PVE/API2/ReplicationConfig.pm
+++ b/PVE/API2/ReplicationConfig.pm
@@ -4,7 +4,7 @@ use warnings;
 use strict;
 
 use PVE::Cluster;
-use PVE::Exception qw(raise_perm_exc raise_param_exc);
+use PVE::Exception qw(raise_param_exc);
 use PVE::JSONSchema qw(get_standard_option);
 use PVE::ReplicationConfig;
 use PVE::RESTHandler;
@@ -90,7 +90,7 @@ __PACKAGE__->register_method({
 
         my $vmid = $data->{guest};
 
-        raise_perm_exc() if !$rpcenv->check($authuser, "/vms/$vmid", ['VM.Audit']);
+        $rpcenv->check($authuser, "/vms/$vmid", ['VM.Audit']);
 
         $data->{id} = $param->{id};
 
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 7/9] api: replication: fix usages of RPCEnvironment check method

[Fiona Ebner]

The RPCEnvironment's check() method is used without $noerr, so it will
already fail and raise a permission exception when the privilege is
missing.

The usage in the job_status endpoint can be simplified, as the
raise_perm_exc() there is dead code.

The other two usages actually want to set the $noerr argument. In
particular, this makes it possible to use the 'status' endpoint, when
the user does not have VM.Audit for all guests with a replication job
and to read the log with only Sys.Audit privilege on the node. Both
would previously fail, because the check for VM.Audit would raise an
exception already.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 PVE/API2/Replication.pm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/PVE/API2/Replication.pm b/PVE/API2/Replication.pm
index 7d048f53..c8416239 100644
--- a/PVE/API2/Replication.pm
+++ b/PVE/API2/Replication.pm
@@ -236,7 +236,7 @@ __PACKAGE__->register_method({
             my $data = $extract_job_status->($jobs->{$id}, $id);
             my $guest = $data->{guest};
             next if defined($param->{guest}) && $guest != $param->{guest};
-            next if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']);
+            next if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit'], 1);
             push @$res, $data;
         }
 
@@ -311,7 +311,7 @@ __PACKAGE__->register_method({
         my $data = $extract_job_status->($jobcfg, $jobid);
         my $guest = $data->{guest};
 
-        raise_perm_exc() if !$rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']);
+        $rpcenv->check($authuser, "/vms/$guest", ['VM.Audit']);
 
         return $data;
     },
@@ -381,8 +381,8 @@ __PACKAGE__->register_method({
         my $vmid = $data->{guest};
         raise_perm_exc()
             if (!(
-                $rpcenv->check($authuser, "/vms/$vmid", ['VM.Audit'])
-                || $rpcenv->check($authuser, "/nodes/$node", ['Sys.Audit'])
+                $rpcenv->check($authuser, "/vms/$vmid", ['VM.Audit'], 1)
+                || $rpcenv->check($authuser, "/nodes/$node", ['Sys.Audit'], 1)
             ));
 
         my ($count, $lines) =
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 8/9] close #2809: api: replication: use VM.Replicate privilege

[Fiona Ebner]

Currently, guest replication is guarded with Datastore.Allocate on
'/storage', which is rather surprising. One could require
Datastore.AllocateSpace on all involved storages, but having a
dedicated privilege like for other VM operations like migration and
snapshot seems to be more natural.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 PVE/API2/Replication.pm       |  8 +++++++-
 PVE/API2/ReplicationConfig.pm | 25 +++++++++++++++++++++----
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/PVE/API2/Replication.pm b/PVE/API2/Replication.pm
index c8416239..c23649f3 100644
--- a/PVE/API2/Replication.pm
+++ b/PVE/API2/Replication.pm
@@ -402,7 +402,8 @@ __PACKAGE__->register_method({
     proxyto => 'node',
     protected => 1,
     permissions => {
-        check => ['perm', '/storage', ['Datastore.Allocate']],
+        description => "Requires the VM.Replicate permission on /vms/<vmid>.",
+        user => 'all',
     },
     parameters => {
         additionalProperties => 0,
@@ -417,7 +418,12 @@ __PACKAGE__->register_method({
     code => sub {
         my ($param) = @_;
 
+        my $rpcenv = PVE::RPCEnvironment::get();
+        my $authuser = $rpcenv->get_user();
+
         my $jobid = $param->{id};
+        my ($vmid) = PVE::ReplicationConfig::parse_replication_job_id($jobid);
+        $rpcenv->check($authuser, "/vms/$vmid", ['VM.Replicate']);
 
         my $cfg = PVE::ReplicationConfig->new();
         my $jobcfg = $cfg->{ids}->{$jobid};
diff --git a/PVE/API2/ReplicationConfig.pm b/PVE/API2/ReplicationConfig.pm
index 1c6ac765..307ebe69 100644
--- a/PVE/API2/ReplicationConfig.pm
+++ b/PVE/API2/ReplicationConfig.pm
@@ -107,19 +107,24 @@ __PACKAGE__->register_method({
     method => 'POST',
     description => "Create a new replication job",
     permissions => {
-        check => ['perm', '/storage', ['Datastore.Allocate']],
+        description => "Requires the VM.Replicate permission on /vms/<vmid>.",
+        user => 'all',
     },
     parameters => PVE::ReplicationConfig->createSchema(),
     returns => { type => 'null' },
     code => sub {
         my ($param) = @_;
 
+        my $rpcenv = PVE::RPCEnvironment::get();
+        my $authuser = $rpcenv->get_user();
+
         my $type = extract_param($param, 'type');
         my $plugin = PVE::ReplicationConfig->lookup($type);
         my $id = extract_param($param, 'id');
 
         # extract guest ID from job ID
         my ($guest) = PVE::ReplicationConfig::parse_replication_job_id($id);
+        $rpcenv->check($authuser, "/vms/$guest", ['VM.Replicate']);
 
         my $nodelist = PVE::Cluster::get_members();
         my $vmlist = PVE::Cluster::get_vmlist();
@@ -176,17 +181,24 @@ __PACKAGE__->register_method({
     method => 'PUT',
     description => "Update replication job configuration.",
     permissions => {
-        check => ['perm', '/storage', ['Datastore.Allocate']],
+        description => "Requires the VM.Replicate permission on /vms/<vmid>.",
+        user => 'all',
     },
     parameters => PVE::ReplicationConfig->updateSchema(),
     returns => { type => 'null' },
     code => sub {
         my ($param) = @_;
 
+        my $rpcenv = PVE::RPCEnvironment::get();
+        my $authuser = $rpcenv->get_user();
+
         my $id = extract_param($param, 'id');
         my $digest = extract_param($param, 'digest');
         my $delete = extract_param($param, 'delete');
 
+        my ($vmid) = PVE::ReplicationConfig::parse_replication_job_id($id);
+        $rpcenv->check($authuser, "/vms/$vmid", ['VM.Replicate']);
+
         my $code = sub {
             my $cfg = PVE::ReplicationConfig->new();
 
@@ -231,7 +243,8 @@ __PACKAGE__->register_method({
     method => 'DELETE',
     description => "Mark replication job for removal.",
     permissions => {
-        check => ['perm', '/storage', ['Datastore.Allocate']],
+        description => "Requires the VM.Replicate permission on /vms/<vmid>.",
+        user => 'all',
     },
     parameters => {
         additionalProperties => 0,
@@ -256,11 +269,15 @@ __PACKAGE__->register_method({
         my ($param) = @_;
 
         my $rpcenv = PVE::RPCEnvironment::get();
+        my $authuser = $rpcenv->get_user();
+
+        my $id = extract_param($param, 'id');
+        my ($vmid) = PVE::ReplicationConfig::parse_replication_job_id($id);
+        $rpcenv->check($authuser, "/vms/$vmid", ['VM.Replicate']);
 
         my $code = sub {
             my $cfg = PVE::ReplicationConfig->new();
 
-            my $id = $param->{id};
             if ($param->{force}) {
                 raise_param_exc({ 'keep' => "conflicts with parameter 'force'" })
                     if $param->{keep};
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH docs 9/9] user management: privileges: document VM.Replicate privilege

[Fiona Ebner]

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 pveum.adoc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pveum.adoc b/pveum.adoc
index 40a2a62..25e10ef 100644
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -914,6 +914,7 @@ Virtual machine related privileges::
 * `VM.GuestAgent.Unrestricted`: issue arbitrary QEMU guest agent commands
 * `VM.Migrate`: migrate VM to alternate server on cluster
 * `VM.PowerMgmt`: power management (start, stop, reset, shutdown, ...)
+* `VM.Replicate`: configure and run guest replication
 * `VM.Snapshot.Rollback`: rollback VM to one of its snapshots
 * `VM.Snapshot`: create/delete VM snapshots
 
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] applied-series: [PATCH access-control/manager/docs 0/9] close #2809: replication: add dedicated VM.Replicate privilege

[Fabian Grünbichler]

including a version bump for pve-access-control + versioned dependency
from pve-manager, and a tiny follow-up adding the new priv to the readme
as well ;)

On July 18, 2025 11:30 am, Fiona Ebner wrote:
> Currently, guest replication is guarded with Datastore.Allocate on
> '/storage', which is rather surprising. One could require
> Datastore.AllocateSpace on all involved storages, but having a
> dedicated privilege like for other VM operations like migration and
> snapshot seems to be more natural.
> 
> Manager patches 2/9 to 7/9 can be applied independently.
> 
> New manager depends on new access-control.
> 
> access-control:
> 
> Fiona Ebner (1):
>   add VM.Replicate privilege
> 
>  src/PVE/AccessControl.pm | 1 +
>  src/test/perm-test1.pl   | 8 ++++----
>  2 files changed, 5 insertions(+), 4 deletions(-)
> 
> 
> manager:
> 
> Fiona Ebner (7):
>   api: replication: code style: order module imports
>   api: replication: add missing module imports
>   api: replication config: code style: order module imports
>   api: replication config: add missing module imports
>   api: replication config: remove dead code
>   api: replication: fix usages of RPCEnvironment check method
>   close #2809: api: replication: use VM.Replicate privilege
> 
>  PVE/API2/Replication.pm       | 38 ++++++++++++++++++-------------
>  PVE/API2/ReplicationConfig.pm | 42 ++++++++++++++++++++++++++---------
>  2 files changed, 54 insertions(+), 26 deletions(-)
> 
> 
> docs:
> 
> Fiona Ebner (1):
>   user management: privileges: document VM.Replicate privilege
> 
>  pveum.adoc | 1 +
>  1 file changed, 1 insertion(+)
> 
> 
> Summary over all repositories:
>   5 files changed, 60 insertions(+), 30 deletions(-)
> 
> -- 
> Generated by git-murpp 0.5.0
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel