From: "DERUMIER, Alexandre" <alexandre.derumier@groupe-cyllene.com>
To: "pve-devel@lists.proxmox.com" <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve-network 1/1] get_local_vnets: fix permission path && perm
Date: Wed, 7 Jun 2023 16:27:26 +0000 [thread overview]
Message-ID: <494f4638beff06af5560d4c9f8de732691414020.camel@groupe-cyllene.com> (raw)
In-Reply-To: <1686149560.i7ewotwm93.astroid@yuna.none>
Le mercredi 07 juin 2023 à 16:56 +0200, Fabian Grünbichler a écrit :
> pve-network requires more work:
>
> - there is a lot of /sdn/vnets/.. permission checks leftover (all of
> the vnet/subnet code!)
> - there are /sdn/vnets/../subnets/.. ACL paths that need to be
> dropped,
> or they clash with /sdn/zones/<zone>/<vnet>[/<vlan>]
I'll look at it . permissions management on /sdn/vnets was never
exposed to gui (in zone permission manage, on main permissions panel
combo). So I really don't think that somebody has ever used it.
I don't think we need permission on subnets anyway.
Permission on vnet with SDN.use should allow to use all subnets
of the vnet.
> - the GUI seems to be broken when "Advanced" is not ticked
>
Yes, some user reported this some weeks ago (without any change in pve-
network). I think something have change in pve-manager, I need to check
that.
> I started off, but then I realized we might also want to re-evaluate:
> - whether we even care about potentially leaking the vnet<->zone
> binding
> in case the ACL checks fail
I think for SDN.Allocate (create vnets/change zone option), permission
on zone should be enough.
SDN.Allocate on a vnet to create subnets or change vnet option.
So, yes, using /sdn/zones/<zone>/<vnet> make sense. (and propagate from
the zone is great too).
>- whether we want to move the whole API tree as well to have vnets
>below
> zones instead of next to eachother, so we always have the zone as
> (path) parameter?
I'll try to have a look at this too.
>>anyhow, here's a half-diff of some potentially relevant changes ;)
ok. thanks. I'll work on it tomorrow !
> ```
> diff --git a/src/PVE/API2/Network/SDN/Subnets.pm
> b/src/PVE/API2/Network/SDN/Subnets.pm
> index 377a568..fbe2c46 100644
> --- a/src/PVE/API2/Network/SDN/Subnets.pm
> +++ b/src/PVE/API2/Network/SDN/Subnets.pm
> @@ -39,7 +39,7 @@ __PACKAGE__->register_method ({
> method => 'GET',
> description => "SDN subnets index.",
> permissions => {
> - description => "Only list entries where you have 'SDN.Audit'
> or 'SDN.Allocate' permissions on '/sdn/subnets/<subnet>'",
> + description => "Only list entries where you have 'SDN.Audit',
> 'SDN.Use' or 'SDN.Allocate' permissions on '/sdn/subnets/<subnet>'",
> user => 'all',
> },
> parameters => {
> @@ -89,7 +89,7 @@ __PACKAGE__->register_method ({
> my @sids = PVE::Network::SDN::Subnets::sdn_subnets_ids($cfg);
> my $res = [];
> foreach my $id (@sids) {
> - my $privs = [ 'SDN.Audit', 'SDN.Allocate' ];
> + my $privs = [ 'SDN.Audit', 'SDN.Use', 'SDN.Allocate' ];
> next if !$rpcenv->check_any($authuser,
> "/sdn/vnets/$vnetid/subnets/$id", $privs, 1);
>
> my $scfg = &$api_sdn_subnets_config($cfg, $id);
> diff --git a/src/PVE/API2/Network/SDN/Vnets.pm
> b/src/PVE/API2/Network/SDN/Vnets.pm
> index 811a2e8..eaa3a04 100644
> --- a/src/PVE/API2/Network/SDN/Vnets.pm
> +++ b/src/PVE/API2/Network/SDN/Vnets.pm
> @@ -50,6 +50,13 @@ my $api_sdn_vnets_deleted_config = sub {
> }
> };
>
> +# checks access, but masks zone to avoid info leak..
> +my $check_vnet_access = sub {
> + sub ($rpcenv, $authuser, $zone, $vnet, $privs) = @_;
> + $rpcenv->check_any($authuser, "/sdn/zones/<zone>/$vnet", $privs)
> + if !$rpcenv->check_any($authuser, "/sdn/zones/$zone/$vnet",
> $privs, 1);
> +}
> +
> __PACKAGE__->register_method ({
> name => 'index',
> path => '',
> @@ -57,7 +64,7 @@ __PACKAGE__->register_method ({
> description => "SDN vnets index.",
> permissions => {
> description => "Only list entries where you have 'SDN.Audit'
> or 'SDN.Allocate'"
> - ." permissions on '/sdn/vnets/<vnet>'",
> + ." permissions on '/sdn/zones/<zone>/<vnet>'",
> user => 'all',
> },
> parameters => {
> @@ -104,8 +111,10 @@ __PACKAGE__->register_method ({
> my @sids = PVE::Network::SDN::Vnets::sdn_vnets_ids($cfg);
> my $res = [];
> foreach my $id (@sids) {
> - my $privs = [ 'SDN.Audit', 'SDN.Allocate' ];
> - next if !$rpcenv->check_any($authuser, "/sdn/vnets/$id",
> $privs, 1);
> + my $privs = [ 'SDN.Audit', 'SDN.Use', 'SDN.Allocate' ];
> + my $zone = $cfg->{$id}->{zone};
> + next if !$zone;
> + next if !$rpcenv->check_any($authuser,
> "/sdn/zones/$zone/$id", $privs, 1);
>
> my $scfg = &$api_sdn_vnets_config($cfg, $id);
> push @$res, $scfg;
> @@ -120,8 +129,9 @@ __PACKAGE__->register_method ({
> method => 'GET',
> description => "Read sdn vnet configuration.",
> permissions => {
> - check => ['perm', '/sdn/vnets/{vnet}', ['SDN.Allocate']],
> - },
> + description => "Requires 'SDN.Allocate' permission on
> '/sdn/zones/<zone>/<vnet>'",
> + user => 'all',
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -144,6 +154,9 @@ __PACKAGE__->register_method ({
> code => sub {
> my ($param) = @_;
>
> + my $rpcenv = PVE::RPCEnvironment::get();
> + my $authuser = $rpcenv->get_user();
> +
> my $cfg = {};
> if($param->{pending}) {
> my $running_cfg = PVE::Network::SDN::running_config();
> @@ -156,6 +169,11 @@ __PACKAGE__->register_method ({
> $cfg = PVE::Network::SDN::Vnets::config();
> }
>
> + my $zone = $cfg->{$vnet}->{zone};
> + return if !$zone;
> +
> + $check_vnet_access($rpcenv, $authuser, $zone, $vnet,
> ['SDN.Allocate']);
> +
> return $api_sdn_vnets_config->($cfg, $param->{vnet});
> }});
>
> @@ -166,7 +184,7 @@ __PACKAGE__->register_method ({
> method => 'POST',
> description => "Create a new sdn vnet object.",
> permissions => {
> - check => ['perm', '/sdn/vnets', ['SDN.Allocate']],
> + check => ['perm', '/sdn/zones/{zone}', ['SDN.Allocate']],
> },
> parameters => PVE::Network::SDN::VnetPlugin->createSchema(),
> returns => { type => 'null' },
> @@ -210,24 +228,36 @@ __PACKAGE__->register_method ({
> method => 'PUT',
> description => "Update sdn vnet object configuration.",
> permissions => {
> - check => ['perm', '/sdn/vnets', ['SDN.Allocate']],
> + description => "Requires 'SDN.Allocate' permission on
> '/sdn/zones/<zone>/<vnet>'",
> + user => 'all',
> },
> parameters => PVE::Network::SDN::VnetPlugin->updateSchema(),
> returns => { type => 'null' },
> code => sub {
> my ($param) = @_;
>
> + my $rpcenv = PVE::RPCEnvironment::get();
> + my $authuser = $rpcenv->get_user();
> +
> my $id = extract_param($param, 'vnet');
> my $digest = extract_param($param, 'digest');
>
> PVE::Network::SDN::lock_sdn_config(sub {
> my $cfg = PVE::Network::SDN::Vnets::config();
>
> - PVE::SectionConfig::assert_if_modified($cfg, $digest);
> + my $zone = $cfg->{ids}->{$id}->{zone} // $params->{zone};
> + # TODO can this even happen?
> + raise_param_exc({ zone => "missing zone" }) if !$zone;
> +
> + $check_vnet_access($rpcenv, $authuser, $zone, $id,
> ['SDN.Allocate']);
> +
> + if (my $new_zone = $params->{zone}) {
> + $rpcenv->check($authuser, "/sdn/zones/$new_zone/$id",
> ['SDN.Allocate']);
> + }
>
> + PVE::SectionConfig::assert_if_modified($cfg, $digest);
>
> my $opts = PVE::Network::SDN::VnetPlugin-
> >check_config($id, $param, 0, 1);
> - raise_param_exc({ zone => "missing zone"}) if !$opts-
> >{zone};
> my $subnets = PVE::Network::SDN::Vnets::get_subnets($id);
> raise_param_exc({ zone => "can't change zone if subnets
> exists"}) if($subnets && $opts->{zone} ne $cfg->{ids}->{$id}-
> >{zone});
>
> @@ -256,7 +286,8 @@ __PACKAGE__->register_method ({
> method => 'DELETE',
> description => "Delete sdn vnet object configuration.",
> permissions => {
> - check => ['perm', '/sdn/vnets', ['SDN.Allocate']],
> + description => "Requires 'SDN.Allocate' permission on
> '/sdn/zones/<zone>/<vnet>'",
> + user => 'all',
> },
> parameters => {
> additionalProperties => 0,
> @@ -270,10 +301,19 @@ __PACKAGE__->register_method ({
> code => sub {
> my ($param) = @_;
>
> + my $rpcenv = PVE::RPCEnvironment::get();
> + my $authuser = $rpcenv->get_user();
> +
> my $id = extract_param($param, 'vnet');
>
> PVE::Network::SDN::lock_sdn_config(sub {
> my $cfg = PVE::Network::SDN::Vnets::config();
> + my $zone = $cfg->{ids}->{$id}->{zone};
> + # TODO can this even happen?
> + raise_param_exc({ zone => "missing zone" }) if !$zone;
> +
> + $check_vnet_access($rpcenv, $authuser, $zone, $id,
> ['SDN.Allocate']);
> +
> my $scfg =
> PVE::Network::SDN::Vnets::sdn_vnets_config($cfg, $id); # check if
> exists
> my $vnet_cfg = PVE::Network::SDN::Vnets::config();
>
> ```
>
> On June 7, 2023 2:03 pm, Alexandre Derumier wrote:
> > new path is /zones/<zone>/<vnetid>
> >
> > Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
> > ---
> > PVE/Network/SDN.pm | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/PVE/Network/SDN.pm b/PVE/Network/SDN.pm
> > index b95dd5b..1ad85e5 100644
> > --- a/PVE/Network/SDN.pm
> > +++ b/PVE/Network/SDN.pm
> > @@ -190,10 +190,10 @@ sub get_local_vnets {
> > my $zoneid = $vnet->{zone};
> > my $comments = $vnet->{alias};
> >
> > - my $privs = [ 'SDN.Audit', 'SDN.Allocate' ];
> > + my $privs = [ 'SDN.Audit', 'SDN.Use' ];
> >
> > next if !$zoneid;
> > - next if !$rpcenv->check_any($authuser,
> > "/sdn/zones/$zoneid", $privs, 1) && !$rpcenv->check_any($authuser,
> > "/sdn/vnets/$vnetid", $privs, 1);
> > + next if !$rpcenv->check_sdn_bridge($authuser, $zoneid,
> > $vnetid, $privs, 1);
> >
> > my $zone_config =
> > PVE::Network::SDN::Zones::sdn_zones_config($zones_cfg, $zoneid);
> >
> > --
> > 2.30.2
> >
> >
> > _______________________________________________
> > pve-devel mailing list
> > pve-devel@lists.proxmox.com
> > https://antiphishing.cetsi.fr/proxy/v3?i=MUo0RzFIRTVvbFhYVGloQoloZQj6tvqyhpERsn5z8Z4&r=cFdGNHFjVENnWDEzUVliSYiK92A-8tPjy0OkrQBFKsNtwFQPVFVwvPagaFXOdIvK&f=ODlJNFRJTjZBcWFlaWxQaCCCfKFEiPqnNIdA-OFeRWhRkYGvCokAsY8PdoPF8z-Ieq4V3WNpzo4Gr8nE76YOxQ&u=https%3A//lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel&k=b1p5
> >
> >
> >
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://antiphishing.cetsi.fr/proxy/v3?i=MUo0RzFIRTVvbFhYVGloQoloZQj6tvqyhpERsn5z8Z4&r=cFdGNHFjVENnWDEzUVliSYiK92A-8tPjy0OkrQBFKsNtwFQPVFVwvPagaFXOdIvK&f=ODlJNFRJTjZBcWFlaWxQaCCCfKFEiPqnNIdA-OFeRWhRkYGvCokAsY8PdoPF8z-Ieq4V3WNpzo4Gr8nE76YOxQ&u=https%3A//lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel&k=b1p5
>
next prev parent reply other threads:[~2023-06-07 16:27 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-07 12:03 [pve-devel] [PATCH-SERIE pve-access-control/pve-manager/pve-guest-common/qemu-server/pve-network] check permissions on local bridge Alexandre Derumier
2023-06-07 12:03 ` [pve-devel] [PATCH v2 pve-access-control 1/3] access control: add /sdn/zones/<zone>/<vnet>/<vlan> path Alexandre Derumier
2023-06-07 14:41 ` [pve-devel] applied: " Fabian Grünbichler
2023-06-07 12:03 ` [pve-devel] [PATCH v4 qemu-server 1/1] api2: add check_bridge_access for create/update/clone/restore vm Alexandre Derumier
2023-06-07 14:52 ` Fabian Grünbichler
2023-06-07 16:46 ` DERUMIER, Alexandre
2023-06-08 16:02 ` [pve-devel] applied: " Thomas Lamprecht
2023-06-09 7:00 ` DERUMIER, Alexandre
2023-06-09 7:14 ` DERUMIER, Alexandre
2023-06-09 7:29 ` Thomas Lamprecht
2023-06-09 8:28 ` DERUMIER, Alexandre
2023-06-09 7:26 ` Thomas Lamprecht
2023-06-07 12:03 ` [pve-devel] [PATCH v3 pve-manager 1/4] api2: network: check permissions for local bridges Alexandre Derumier
2023-06-07 14:45 ` [pve-devel] applied: " Fabian Grünbichler
2023-06-07 12:03 ` [pve-devel] [PATCH pve-network 1/1] get_local_vnets: fix permission path && perm Alexandre Derumier
2023-06-07 14:56 ` Fabian Grünbichler
2023-06-07 16:27 ` DERUMIER, Alexandre [this message]
2023-06-08 1:34 ` DERUMIER, Alexandre
2023-06-07 12:03 ` [pve-devel] [PATCH v2 pve-guest-common 1/1] helpers : add check_vnet_access Alexandre Derumier
2023-06-07 14:48 ` [pve-devel] applied: " Fabian Grünbichler
2023-06-07 12:03 ` [pve-devel] [PATCH v3 pve-manager 2/4] api2: cluster: ressources: add "localnetwork" zone Alexandre Derumier
2023-06-07 14:44 ` Fabian Grünbichler
2023-06-07 17:18 ` DERUMIER, Alexandre
2023-06-07 12:03 ` [pve-devel] [PATCH v2 pve-access-control 2/3] rpcenvironnment: add check_sdn_bridge Alexandre Derumier
2023-06-07 14:41 ` [pve-devel] applied: " Fabian Grünbichler
2023-06-07 12:03 ` [pve-devel] [PATCH v2 pve-access-control 3/3] add new SDN.use privilege in PVESDNUser role Alexandre Derumier
2023-06-07 14:42 ` [pve-devel] applied: " Fabian Grünbichler
2023-06-07 12:03 ` [pve-devel] [PATCH v3 pve-manager 3/4] ui: add vnet permissions panel Alexandre Derumier
2023-06-07 12:03 ` [pve-devel] [PATCH v3 pve-manager 4/4] ui: add permissions management for "localnetwork" zone Alexandre Derumier
2023-06-12 14:39 ` [pve-devel] applied-series: [PATCH-SERIE pve-access-control/pve-manager/pve-guest-common/qemu-server/pve-network] check permissions on local bridge Fabian Grünbichler
-- strict thread matches above, loose matches on Subject: below --
2023-06-06 13:19 [pve-devel] " Alexandre Derumier
2023-06-06 13:19 ` [pve-devel] [PATCH pve-network 1/1] get_local_vnets: fix permission path && perm Alexandre Derumier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=494f4638beff06af5560d4c9f8de732691414020.camel@groupe-cyllene.com \
--to=alexandre.derumier@groupe-cyllene.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.