From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id F05A61FF15E for ; Mon, 13 Oct 2025 10:41:17 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 6D1B1E14F; Mon, 13 Oct 2025 10:41:35 +0200 (CEST) Mime-Version: 1.0 Date: Mon, 13 Oct 2025 10:41:01 +0200 Message-Id: To: "Shan Shaji" X-Mailer: aerc 0.20.0 References: <20251010151803.257519-1-s.shaji@proxmox.com> <20251010151803.257519-2-s.shaji@proxmox.com> In-Reply-To: <20251010151803.257519-2-s.shaji@proxmox.com> From: "Shannon Sterz" X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1760344826090 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.055 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pdm-devel] [PATCH datacenter-manager 1/2] fix #6901: api: add permission checks for PBS rrd endpoints X-BeenThere: pdm-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Datacenter Manager development discussion Cc: Proxmox Datacenter Manager development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pdm-devel-bounces@lists.proxmox.com Sender: "pdm-devel" On Fri Oct 10, 2025 at 5:18 PM CEST, Shan Shaji wrote: > When a non-root user tried to view the RRD data of the PBS node or > datastores, even with Administrator privileges, the API was > returning a "403: permission check failed" error. This occured > because the access property was not defined inside the `api` macro. > > To fix the issue, a resource level permission check was added. > Now if a user has atleast the `Resource.Audit` permission, then they > can access the RRD data of the node and datastores. > > Signed-off-by: Shan Shaji > --- > server/src/api/pbs/rrddata.rs | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/server/src/api/pbs/rrddata.rs b/server/src/api/pbs/rrddata.rs > index aa980d4..c8885de 100644 > --- a/server/src/api/pbs/rrddata.rs > +++ b/server/src/api/pbs/rrddata.rs > @@ -2,8 +2,9 @@ use anyhow::Error; > use pdm_api_types::{ > remotes::REMOTE_ID_SCHEMA, > rrddata::{PbsDatastoreDataPoint, PbsNodeDataPoint}, > + PRIV_RESOURCE_AUDIT, > }; > -use proxmox_router::Router; > +use proxmox_router::{Permission, Router}; > use proxmox_rrd_api_types::{RrdMode, RrdTimeframe}; > use proxmox_schema::api; > use serde_json::Value; > @@ -100,6 +101,10 @@ impl DataPoint for PbsDatastoreDataPoint { > }, > }, > }, > + access: { > + permission: &Permission::Privilege(&["resource", "{remote}"], PRIV_RESOURCE_AUDIT, false), > + description: "The user needs to have atleast `Resource.Audit` privilege under `/resource`." nit: a typo snuck in here, this should be `at least` also correct me if im wrong, but this is wrong? for the user to be able to access this endpoint, they would need `Resource.Audit` permissions on the specific remote that they are trying to get the RRD data for. otherwise they'll get a 403 error. by default permissions propagate down the the acl tree, but that can be disabled. so `Resource.Audit` on `/resource` does not always imply `Resource.Audit` on `/resource/my-pbs-remote` etc. hence, this should probably be: The user needs to have at least the `Resource.Audit` privilege on `/resource/{remote}`. note that for pbs we autogenerate descriptions for endpoints that only set "permission" but not "description" [1]. while this has the upside of always being in-line with the actual code, the descriptions might be a bit difficult to parse especially for newbies to our codebase. [1]: https://pbs.proxmox.com/docs/api-viewer/index.html#/tape/drive/{drive}/clean > + } > )] > /// Read PBS node stats > async fn get_pbs_node_rrd_data( > @@ -125,6 +130,10 @@ async fn get_pbs_node_rrd_data( > }, > }, > }, > + access: { > + permission: &Permission::Privilege(&["resource", "{remote}", "datastore", "{datastore}"], PRIV_RESOURCE_AUDIT, false), > + description: "The user needs to have atleast `Resource.Audit` privilege under `/resource`." nit: same as above, should probably be: The user needs to have at least the `Resource.Audit` privilege on `/resource/{remote}/datastore/{datastore}`. > + } > )] > /// Read PBS datastore stats > async fn get_pbs_datastore_rrd_data( _______________________________________________ pdm-devel mailing list pdm-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel