[pbs-devel] [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD

[pbs-devel] [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD

[Fabian Grünbichler]

this is the same privilege needed to query the node status.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 src/api2/node/rrd.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/api2/node/rrd.rs b/src/api2/node/rrd.rs
index 99881461..cc18f30e 100644
--- a/src/api2/node/rrd.rs
+++ b/src/api2/node/rrd.rs
@@ -1,9 +1,10 @@
 use anyhow::Error;
 use serde_json::{Value, json};
 
-use proxmox::api::{api, Router};
+use proxmox::api::{api, Permission, Router};
 
 use crate::api2::types::*;
+use crate::config::acl::PRIV_SYS_AUDIT;
 use crate::rrd::{extract_cached_data, RRD_DATA_ENTRIES};
 
 pub fn create_value_from_rrd(
@@ -56,6 +57,9 @@ pub fn create_value_from_rrd(
             },
         },
     },
+    access: {
+        permission: &Permission::Privilege(&["system", "status"], PRIV_SYS_AUDIT, false),
+    },
 )]
 /// Read node stats
 fn get_node_stats(
-- 
2.20.1

[pbs-devel] [PATCH proxmox-backup 2/2] always allow retrieving (censored) subscription info

[Fabian Grünbichler]

like we do for PVE. this is visible on the dashboard, and caused 403 on
each update which bothers me when looking at the dev console.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

Notes:
    this will need more work once we actually introduce subscription keys, but
    seems good enough for now..

 src/api2/node/subscription.rs | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/src/api2/node/subscription.rs b/src/api2/node/subscription.rs
index 186019cb..f8b14187 100644
--- a/src/api2/node/subscription.rs
+++ b/src/api2/node/subscription.rs
@@ -1,11 +1,12 @@
 use anyhow::{Error};
 use serde_json::{json, Value};
 
-use proxmox::api::{api, Router, Permission};
+use proxmox::api::{api, Router, RpcEnvironment, Permission};
 
 use crate::tools;
 use crate::config::acl::PRIV_SYS_AUDIT;
-use crate::api2::types::NODE_SCHEMA;
+use crate::config::cached_user_info::CachedUserInfo;
+use crate::api2::types::{NODE_SCHEMA, Userid};
 
 #[api(
     input: {
@@ -28,7 +29,7 @@ use crate::api2::types::NODE_SCHEMA;
             },
             serverid: {
                 type: String,
-                description: "The unique server ID.",
+                description: "The unique server ID, if permitted to access.",
             },
             url: {
                 type: String,
@@ -37,18 +38,29 @@ use crate::api2::types::NODE_SCHEMA;
         },
     },
     access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+        permission: &Permission::Anybody,
     },
 )]
 /// Read subscription info.
-fn get_subscription(_param: Value) -> Result<Value, Error> {
+fn get_subscription(
+    _param: Value,
+    rpcenv: &mut dyn RpcEnvironment,
+) -> Result<Value, Error> {
+    let userid: Userid = rpcenv.get_user().unwrap().parse()?;
+    let user_info = CachedUserInfo::new()?;
+    let user_privs = user_info.lookup_privs(&userid, &[]);
+    let server_id = if (user_privs & PRIV_SYS_AUDIT) != 0 {
+        tools::get_hardware_address()?
+    } else {
+        "hidden".to_string()
+    };
 
     let url = "https://www.proxmox.com/en/proxmox-backup-server/pricing";
     Ok(json!({
         "status": "NotFound",
-	"message": "There is no subscription key",
-	"serverid": tools::get_hardware_address()?,
-	"url":  url,
+        "message": "There is no subscription key",
+        "serverid": server_id,
+        "url":  url,
      }))
 }
 
-- 
2.20.1

[pbs-devel] applied: [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD

[Dietmar Maurer]

applied

[pbs-devel] applied: [PATCH proxmox-backup 2/2] always allow retrieving (censored) subscription info

[Dietmar Maurer]

applied