From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id C664C1FF187 for ; Mon, 6 Oct 2025 11:00:28 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9EADD260C8; Mon, 6 Oct 2025 11:00:31 +0200 (CEST) Mime-Version: 1.0 Date: Mon, 06 Oct 2025 11:00:27 +0200 Message-Id: To: "Proxmox Datacenter Manager development discussion" X-Mailer: aerc 0.20.0 References: <20250919151105.348900-1-s.shaji@proxmox.com> In-Reply-To: <20250919151105.348900-1-s.shaji@proxmox.com> From: "Shannon Sterz" X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1759741199853 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.056 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pdm-devel] [PATCH datacenter-manager] fix #6794: api: allow non-root users to view stats on dashboard X-BeenThere: pdm-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Datacenter Manager development discussion Cc: Shan Shaji , pdm-devel Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pdm-devel-bounces@lists.proxmox.com Sender: "pdm-devel" On Fri Sep 19, 2025 at 5:11 PM CEST, Shan Shaji wrote: > When a non-root user logged into PDM, the Top Entities section was > not visible, even though the required privileges had been assigned. > > To fix it allow all authenticated users to access the `/top-entities` > endpoint. Also added explicit privilege checks to validate the access > on resources. > imo: mention that the returned top entities will be filter by the users permissions based on what resources they have access to in the commit message. some nits and comments in-line. > Signed-off-by: Shan Shaji > --- > server/src/api/resources.rs | 23 ++++++++++++++++++-- > server/src/metric_collection/top_entities.rs | 5 +++++ > 2 files changed, 26 insertions(+), 2 deletions(-) > > diff --git a/server/src/api/resources.rs b/server/src/api/resources.rs > index ce05db1..4012353 100644 > --- a/server/src/api/resources.rs > +++ b/server/src/api/resources.rs > @@ -475,6 +475,9 @@ pub async fn get_subscription_status( > // FIXME: make timeframe and count parameters? > // FIXME: permissions? nit: remove this fixme while you are at it :) > #[api( > + access: { > + permission: &Permission::Anybody, > + }, nit: typically we have the `access` portion toward the end of the api macro. would be nice to have this here too for consistency but no blocker. however, it would be nice to add a description here that users need to have permissions to at least some resource under `/resources` for this api endpoint not to bail with an UNAUTHORIZED error. and also that the results will be filtered by resources that a user has access too. so something like this maybe: The user needs to have at least `PRIV_RESOURCE_AUDIT` on one resources under `/resource`. Only resources for which the user has `PRIV_RESOURCE_AUDIT` on `/resource/{remote_name} will be considered when calculating the top entities. > input: { > properties: { > "timeframe": { > @@ -485,11 +488,27 @@ pub async fn get_subscription_status( > }, > )] > /// Returns the top X entities regarding the chosen type > -async fn get_top_entities(timeframe: Option) -> Result { > +async fn get_top_entities( > + timeframe: Option, > + rpcenv: &mut dyn RpcEnvironment, > +) -> Result { > + let user_info = CachedUserInfo::new()?; > + let auth_id: Authid = rpcenv > + .get_auth_id() > + .ok_or_else(|| format_err!("no authid available"))? > + .parse()?; > + > + if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? { > + http_bail!(UNAUTHORIZED, "user has no access to resources"); i know there is another endpoint like this in the same file, but we usually use 403 ("Forbidden") when a user does not have sufficient permissions and 401 ("Unauthorized") when there is no authentication at all. imo it would be nice to keep that consistent, so this should be a `FORBIDDEN`. > + } > + > let (remotes_config, _) = pdm_config::remotes::config()?; > + let check_remote_privs = |remote_name: &str| { > + user_info.lookup_privs(&auth_id, &["resource", remote_name]) & PRIV_RESOURCE_AUDIT != 0 > + }; > > let timeframe = timeframe.unwrap_or(RrdTimeframe::Day); > - let res = top_entities::calculate_top(&remotes_config, timeframe, 10); > + let res = top_entities::calculate_top(&remotes_config, timeframe, 10, check_remote_privs); > Ok(res) > } > > diff --git a/server/src/metric_collection/top_entities.rs b/server/src/metric_collection/top_entities.rs > index 47fda24..990189a 100644 > --- a/server/src/metric_collection/top_entities.rs > +++ b/server/src/metric_collection/top_entities.rs > @@ -36,12 +36,17 @@ pub fn calculate_top( > remotes: &HashMap, > timeframe: proxmox_rrd_api_types::RrdTimeframe, > num: usize, > + check_remote_privs: impl Fn(&str) -> bool > ) -> TopEntities { > let mut guest_cpu = Vec::new(); > let mut node_cpu = Vec::new(); > let mut node_memory = Vec::new(); > > for remote_name in remotes.keys() { > + if !check_remote_privs(remote_name) { > + continue; > + } > + > if let Some(data) = > crate::api::resources::get_cached_resources(remote_name, i64::MAX as u64) > { other than the comments above, consider this: Reviewed-by: Shannon Sterz _______________________________________________ pdm-devel mailing list pdm-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel