From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: "Proxmox VE development discussion" <pve-devel@lists.proxmox.com>,
"Fabian Grünbichler" <f.gruenbichler@proxmox.com>
Subject: Re: [pve-devel] [PATCH v2 manager] pve6to7: add check for pool permissions
Date: Wed, 16 Jun 2021 14:49:55 +0200 [thread overview]
Message-ID: <a4f2efd4-1d53-aaf5-65f1-501602ec38fa@proxmox.com> (raw)
In-Reply-To: <1623847161.ldx69rhpb4.astroid@nora.none>
On 16.06.21 14:45, Fabian Grünbichler wrote:
> On June 16, 2021 2:16 pm, Lorenz Stechauner wrote:
>> the two checks make sure that:
>> * no user defined role 'PVEPoolUser' exists
>> * the user gets a hint for roles only containing Pool.Allocate and
>> not Pool.Audit
>>
>> Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
>> ---
>> changes to v1:
>> * rebased on master
>>
>> PVE/CLI/pve6to7.pm | 25 +++++++++++++++++++++++++
>> 1 file changed, 25 insertions(+)
>>
>> diff --git a/PVE/CLI/pve6to7.pm b/PVE/CLI/pve6to7.pm
>> index 90f92a55..b391d006 100644
>> --- a/PVE/CLI/pve6to7.pm
>> +++ b/PVE/CLI/pve6to7.pm
>> @@ -9,6 +9,7 @@ use PVE::API2::LXC;
>> use PVE::API2::Qemu;
>> use PVE::API2::Certificates;
>>
>> +use PVE::AccessControl;
>> use PVE::Ceph::Tools;
>> use PVE::Cluster;
>> use PVE::Corosync;
>> @@ -693,6 +694,30 @@ sub check_misc {
>>
>> check_backup_retention_settings();
>> check_cifs_credential_location();
>> +
>> + log_info("Check custom roles");
>> + my $usercfg = PVE::Cluster::cfs_read_file("user.cfg");
>> + foreach my $role (sort keys %{$usercfg->{roles}}) {
>> + if (PVE::AccessControl::role_is_special($role)) {
>> + next;
>> + }
>> +
>> + if ($role eq "PVEPoolUser") {
>> + # the user created a custom role named PVEPoolUser
>> + log_fail("Custom role '$role' has a restricted name - a built-in role 'PVEPoolUser' will be available with the upgrade");
>> + } else {
>> + log_pass("Custom role '$role' has no restricted name");
>> + }
>> +
>> + my $perms = $usercfg->{roles}->{$role};
>> + if ($perms->{'Pool.Allocate'} && $perms->{'Pool.Audit'}) {
>> + log_pass("Custom role '$role' contains updated pool permissions");
>
> that does not work for PVE 6.x, where Pool.Audit is not yet a valid
> privilege, so gets dropped on parsing user.cfg ;)
>
> so either we add it as valid privilege (without using it for anything)
> in a new stable-6 branch, or we switch to lower-level parsing/checks
> here.. the file format is pretty simple, so the following should
> probably work for the purposes of the check:
did not try, but in theory you could also just mock the relevant subs in the pve 6
case to add that as valid priv there for this script only?
prev parent reply other threads:[~2021-06-16 12:50 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-16 12:16 Lorenz Stechauner
2021-06-16 12:45 ` Fabian Grünbichler
2021-06-16 12:49 ` Thomas Lamprecht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a4f2efd4-1d53-aaf5-65f1-501602ec38fa@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.