From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 1567A1FF16F for ; Tue, 14 Oct 2025 10:56:52 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 084B1241EF; Tue, 14 Oct 2025 10:57:10 +0200 (CEST) From: Shan Shaji To: pdm-devel@lists.proxmox.com Date: Tue, 14 Oct 2025 10:56:50 +0200 Message-ID: <20251014085651.73407-2-s.shaji@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20251014085651.73407-1-s.shaji@proxmox.com> References: <20251014085651.73407-1-s.shaji@proxmox.com> MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1760432189887 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.120 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pdm-devel] [PATCH datacenter-manager v2 1/2] fix #6901: api: add permission checks for PBS rrd endpoints X-BeenThere: pdm-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Datacenter Manager development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pdm-devel-bounces@lists.proxmox.com Sender: "pdm-devel" When a non-root user tried to view the RRD data of the PBS node or datastores, even with Administrator privileges, the API was returning a "403: permission check failed" error. This occured because the access property was not defined inside the `api` macro. To fix the issue, a resource level permission check was added. Now if a user has at least the `Resource.Audit` permission, then they can access the RRD data of the node and datastores. Signed-off-by: Shan Shaji --- changes since v1: - Updated endpoint descriptions. server/src/api/pbs/rrddata.rs | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/server/src/api/pbs/rrddata.rs b/server/src/api/pbs/rrddata.rs index aa980d4..74c670d 100644 --- a/server/src/api/pbs/rrddata.rs +++ b/server/src/api/pbs/rrddata.rs @@ -2,8 +2,9 @@ use anyhow::Error; use pdm_api_types::{ remotes::REMOTE_ID_SCHEMA, rrddata::{PbsDatastoreDataPoint, PbsNodeDataPoint}, + PRIV_RESOURCE_AUDIT, }; -use proxmox_router::Router; +use proxmox_router::{Permission, Router}; use proxmox_rrd_api_types::{RrdMode, RrdTimeframe}; use proxmox_schema::api; use serde_json::Value; @@ -100,6 +101,10 @@ impl DataPoint for PbsDatastoreDataPoint { }, }, }, + access: { + permission: &Permission::Privilege(&["resource", "{remote}"], PRIV_RESOURCE_AUDIT, false), + description: "The user needs to have at least the `Resource.Audit` privilege on `/resource/{remote}`." + } )] /// Read PBS node stats async fn get_pbs_node_rrd_data( @@ -125,6 +130,10 @@ async fn get_pbs_node_rrd_data( }, }, }, + access: { + permission: &Permission::Privilege(&["resource", "{remote}", "datastore", "{datastore}"], PRIV_RESOURCE_AUDIT, false), + description: "The user needs to have at least the `Resource.Audit` privilege on `/resource/{remote}/datastore/{datastore}`." + } )] /// Read PBS datastore stats async fn get_pbs_datastore_rrd_data( -- 2.47.3 _______________________________________________ pdm-devel mailing list pdm-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel