[pdm-devel] [PATCH datacenter-manager v2 0/2] fix #6901: add explicit permissions for PBS status and RRD endpoints

[pdm-devel] [PATCH datacenter-manager v2 0/2] fix #6901: add explicit permissions for PBS status and RRD endpoints

[Shan Shaji]

If a non-root user tried to view the overview of a PBS, a 
"403: permission check failed" error was shown. Additionally, 
the RRD data for the node and datastores were not visible.

To fix the issue, explicit permission checks were added for 
the PBS RRD endpoints and the PBS status endpoint.

Ticket #6901 also reports a similar issue in the EVPN panel, 
which will be addressed in a separate patch.

Changelog
=========

since v1: Thanks @Shannon Sterz
patch:  https://lore.proxmox.com/pdm-devel/20251010151803.257519-1-s.shaji@proxmox.com/T/#t

- Updated description for both status and RRD endpoints. 
- Updated commit message.

Shan Shaji (2):
  fix #6901: api: add permission checks for PBS rrd endpoints
  fix #6901: api: remove `node` reference from templated privilege path

 server/src/api/pbs/mod.rs     |  3 ++-
 server/src/api/pbs/rrddata.rs | 11 ++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

-- 
2.47.3



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

[pdm-devel] [PATCH datacenter-manager v2 1/2] fix #6901: api: add permission checks for PBS rrd endpoints

[Shan Shaji]

When a non-root user tried to view the RRD data of the PBS node or
datastores, even with Administrator privileges, the API was
returning a "403: permission check failed" error. This occured
because the access property was not defined inside the `api` macro.

To fix the issue, a resource level permission check was added.
Now if a user has at least the `Resource.Audit` permission, then they
can access the RRD data of the node and datastores.

Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
 changes since v1: 
 - Updated endpoint descriptions. 

 server/src/api/pbs/rrddata.rs | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/server/src/api/pbs/rrddata.rs b/server/src/api/pbs/rrddata.rs
index aa980d4..74c670d 100644
--- a/server/src/api/pbs/rrddata.rs
+++ b/server/src/api/pbs/rrddata.rs
@@ -2,8 +2,9 @@ use anyhow::Error;
 use pdm_api_types::{
     remotes::REMOTE_ID_SCHEMA,
     rrddata::{PbsDatastoreDataPoint, PbsNodeDataPoint},
+    PRIV_RESOURCE_AUDIT,
 };
-use proxmox_router::Router;
+use proxmox_router::{Permission, Router};
 use proxmox_rrd_api_types::{RrdMode, RrdTimeframe};
 use proxmox_schema::api;
 use serde_json::Value;
@@ -100,6 +101,10 @@ impl DataPoint for PbsDatastoreDataPoint {
             },
         },
     },
+    access: {
+        permission: &Permission::Privilege(&["resource", "{remote}"], PRIV_RESOURCE_AUDIT, false),
+        description: "The user needs to have at least the `Resource.Audit` privilege on `/resource/{remote}`."
+    }
 )]
 /// Read PBS node stats
 async fn get_pbs_node_rrd_data(
@@ -125,6 +130,10 @@ async fn get_pbs_node_rrd_data(
             },
         },
     },
+    access: {
+        permission: &Permission::Privilege(&["resource", "{remote}", "datastore", "{datastore}"], PRIV_RESOURCE_AUDIT, false),
+        description: "The user needs to have at least the `Resource.Audit` privilege on `/resource/{remote}/datastore/{datastore}`."
+    }
 )]
 /// Read PBS datastore stats
 async fn get_pbs_datastore_rrd_data(
-- 
2.47.3



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

[pdm-devel] [PATCH datacenter-manager v2 2/2] fix #6901: api: remove `node` reference from templated privilege path

[Shan Shaji]

If a non root user tried to view the overview of a PBS, it was
showing "403: permission check failed" error. This occured because the
privilege path included the "node" object which is neither accepted
as a parameter in the endpoint nor passed from the UI.

To fix the issue removed the "node" reference. Now if the user has
at least the `Resource.Audit` permission, they can view PBS status under
the overview panel.

Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
 changes since v1: 
 - Updated endpoint description. 

 server/src/api/pbs/mod.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/src/api/pbs/mod.rs b/server/src/api/pbs/mod.rs
index dc31f62..ad82ab3 100644
--- a/server/src/api/pbs/mod.rs
+++ b/server/src/api/pbs/mod.rs
@@ -272,7 +272,8 @@ pub async fn scan_remote_pbs(
         },
     },
     access: {
-        permission: &Permission::Privilege(&["resource", "{remote}", "node", "{node}"], PRIV_RESOURCE_AUDIT, false),
+        permission: &Permission::Privilege(&["resource", "{remote}"], PRIV_RESOURCE_AUDIT, false),
+        description: "The user needs to have at least the `Resource.Audit` privilege on `/resource/{remote}`."
     },
 )]
 /// Get status for the PBS remote
-- 
2.47.3



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

Re: [pdm-devel] [PATCH datacenter-manager v2 0/2] fix #6901: add explicit permissions for PBS status and RRD endpoints

[Shannon Sterz]

On Tue Oct 14, 2025 at 10:56 AM CEST, Shan Shaji wrote:
> If a non-root user tried to view the overview of a PBS, a
> "403: permission check failed" error was shown. Additionally,
> the RRD data for the node and datastores were not visible.
>
> To fix the issue, explicit permission checks were added for
> the PBS RRD endpoints and the PBS status endpoint.
>
> Ticket #6901 also reports a similar issue in the EVPN panel,
> which will be addressed in a separate patch.
>
> Changelog
> =========
>
> since v1: Thanks @Shannon Sterz
> patch:  https://lore.proxmox.com/pdm-devel/20251010151803.257519-1-s.shaji@proxmox.com/T/#t
>
> - Updated description for both status and RRD endpoints.
> - Updated commit message.
>
> Shan Shaji (2):
>   fix #6901: api: add permission checks for PBS rrd endpoints
>   fix #6901: api: remove `node` reference from templated privilege path
>
>  server/src/api/pbs/mod.rs     |  3 ++-
>  server/src/api/pbs/rrddata.rs | 11 ++++++++++-
>  2 files changed, 12 insertions(+), 2 deletions(-)

looks good to me, consider this:

Reviewed-by: Shannon Sterz <s.sterz@proxmox.com>


_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

[pdm-devel] applied: [PATCH datacenter-manager v2 0/2] fix #6901: add explicit permissions for PBS status and RRD endpoints

[Thomas Lamprecht]

On Tue, 14 Oct 2025 10:56:49 +0200, Shan Shaji wrote:
> If a non-root user tried to view the overview of a PBS, a
> "403: permission check failed" error was shown. Additionally,
> the RRD data for the node and datastores were not visible.
> 
> To fix the issue, explicit permission checks were added for
> the PBS RRD endpoints and the PBS status endpoint.
> 
> [...]

Applied, thanks!

[1/2] fix #6901: api: add permission checks for PBS rrd endpoints
      commit: df0121037c3ee7554d5a681d978ffe4f29a8ae0a
[2/2] fix #6901: api: remove `node` reference from templated privilege path
      commit: e7e8910b6c82734be74e8317582d625f921de4a9


_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel