* [pbs-devel] [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD @ 2020-09-16 9:51 Fabian Grünbichler 2020-09-16 9:51 ` [pbs-devel] [PATCH proxmox-backup 2/2] always allow retrieving (censored) subscription info Fabian Grünbichler 2020-09-17 4:03 ` [pbs-devel] applied: [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD Dietmar Maurer 0 siblings, 2 replies; 4+ messages in thread From: Fabian Grünbichler @ 2020-09-16 9:51 UTC (permalink / raw) To: pbs-devel this is the same privilege needed to query the node status. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> --- src/api2/node/rrd.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/api2/node/rrd.rs b/src/api2/node/rrd.rs index 99881461..cc18f30e 100644 --- a/src/api2/node/rrd.rs +++ b/src/api2/node/rrd.rs @@ -1,9 +1,10 @@ use anyhow::Error; use serde_json::{Value, json}; -use proxmox::api::{api, Router}; +use proxmox::api::{api, Permission, Router}; use crate::api2::types::*; +use crate::config::acl::PRIV_SYS_AUDIT; use crate::rrd::{extract_cached_data, RRD_DATA_ENTRIES}; pub fn create_value_from_rrd( @@ -56,6 +57,9 @@ pub fn create_value_from_rrd( }, }, }, + access: { + permission: &Permission::Privilege(&["system", "status"], PRIV_SYS_AUDIT, false), + }, )] /// Read node stats fn get_node_stats( -- 2.20.1 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [pbs-devel] [PATCH proxmox-backup 2/2] always allow retrieving (censored) subscription info 2020-09-16 9:51 [pbs-devel] [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD Fabian Grünbichler @ 2020-09-16 9:51 ` Fabian Grünbichler 2020-09-17 4:04 ` [pbs-devel] applied: " Dietmar Maurer 2020-09-17 4:03 ` [pbs-devel] applied: [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD Dietmar Maurer 1 sibling, 1 reply; 4+ messages in thread From: Fabian Grünbichler @ 2020-09-16 9:51 UTC (permalink / raw) To: pbs-devel like we do for PVE. this is visible on the dashboard, and caused 403 on each update which bothers me when looking at the dev console. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> --- Notes: this will need more work once we actually introduce subscription keys, but seems good enough for now.. src/api2/node/subscription.rs | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/src/api2/node/subscription.rs b/src/api2/node/subscription.rs index 186019cb..f8b14187 100644 --- a/src/api2/node/subscription.rs +++ b/src/api2/node/subscription.rs @@ -1,11 +1,12 @@ use anyhow::{Error}; use serde_json::{json, Value}; -use proxmox::api::{api, Router, Permission}; +use proxmox::api::{api, Router, RpcEnvironment, Permission}; use crate::tools; use crate::config::acl::PRIV_SYS_AUDIT; -use crate::api2::types::NODE_SCHEMA; +use crate::config::cached_user_info::CachedUserInfo; +use crate::api2::types::{NODE_SCHEMA, Userid}; #[api( input: { @@ -28,7 +29,7 @@ use crate::api2::types::NODE_SCHEMA; }, serverid: { type: String, - description: "The unique server ID.", + description: "The unique server ID, if permitted to access.", }, url: { type: String, @@ -37,18 +38,29 @@ use crate::api2::types::NODE_SCHEMA; }, }, access: { - permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false), + permission: &Permission::Anybody, }, )] /// Read subscription info. -fn get_subscription(_param: Value) -> Result<Value, Error> { +fn get_subscription( + _param: Value, + rpcenv: &mut dyn RpcEnvironment, +) -> Result<Value, Error> { + let userid: Userid = rpcenv.get_user().unwrap().parse()?; + let user_info = CachedUserInfo::new()?; + let user_privs = user_info.lookup_privs(&userid, &[]); + let server_id = if (user_privs & PRIV_SYS_AUDIT) != 0 { + tools::get_hardware_address()? + } else { + "hidden".to_string() + }; let url = "https://www.proxmox.com/en/proxmox-backup-server/pricing"; Ok(json!({ "status": "NotFound", - "message": "There is no subscription key", - "serverid": tools::get_hardware_address()?, - "url": url, + "message": "There is no subscription key", + "serverid": server_id, + "url": url, })) } -- 2.20.1 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [pbs-devel] applied: [PATCH proxmox-backup 2/2] always allow retrieving (censored) subscription info 2020-09-16 9:51 ` [pbs-devel] [PATCH proxmox-backup 2/2] always allow retrieving (censored) subscription info Fabian Grünbichler @ 2020-09-17 4:04 ` Dietmar Maurer 0 siblings, 0 replies; 4+ messages in thread From: Dietmar Maurer @ 2020-09-17 4:04 UTC (permalink / raw) To: Proxmox Backup Server development discussion, Fabian Grünbichler applied ^ permalink raw reply [flat|nested] 4+ messages in thread
* [pbs-devel] applied: [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD 2020-09-16 9:51 [pbs-devel] [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD Fabian Grünbichler 2020-09-16 9:51 ` [pbs-devel] [PATCH proxmox-backup 2/2] always allow retrieving (censored) subscription info Fabian Grünbichler @ 2020-09-17 4:03 ` Dietmar Maurer 1 sibling, 0 replies; 4+ messages in thread From: Dietmar Maurer @ 2020-09-17 4:03 UTC (permalink / raw) To: Proxmox Backup Server development discussion, Fabian Grünbichler applied ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-09-17 4:04 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-09-16 9:51 [pbs-devel] [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD Fabian Grünbichler 2020-09-16 9:51 ` [pbs-devel] [PATCH proxmox-backup 2/2] always allow retrieving (censored) subscription info Fabian Grünbichler 2020-09-17 4:04 ` [pbs-devel] applied: " Dietmar Maurer 2020-09-17 4:03 ` [pbs-devel] applied: [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD Dietmar Maurer
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.Service provided by Proxmox Server Solutions GmbH | Privacy | Legal