[pve-devel] [PATCH storage] close #5492: api: content: allow listing volumes with Datastore.Audit privilege

[pve-devel] [PATCH storage] close #5492: api: content: allow listing volumes with Datastore.Audit privilege

[Fiona Ebner]

The check_volume_access() method is for checking read access to a
volume. Users should be able to list the images, e.g. to check backup
health via monitoring like reported in #5492 comment 3, with just an
audit privilege.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/API2/Storage/Content.pm | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/src/PVE/API2/Storage/Content.pm b/src/PVE/API2/Storage/Content.pm
index 1fe7303..c1f9a1f 100644
--- a/src/PVE/API2/Storage/Content.pm
+++ b/src/PVE/API2/Storage/Content.pm
@@ -154,12 +154,6 @@ __PACKAGE__->register_method({
 
         my $res = [];
         foreach my $item (@$vollist) {
-            eval {
-                PVE::Storage::check_volume_access(
-                    $rpcenv, $authuser, $cfg, undef, $item->{volid},
-                );
-            };
-            next if $@;
             $item->{vmid} = int($item->{vmid}) if defined($item->{vmid});
             $item->{size} = int($item->{size}) if defined($item->{size});
             $item->{used} = int($item->{used}) if defined($item->{used});
-- 
2.47.2



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH storage] close #5492: api: content: allow listing volumes with Datastore.Audit privilege

[Fabian Grünbichler]

On July 18, 2025 5:03 pm, Fiona Ebner wrote:
> The check_volume_access() method is for checking read access to a
> volume. Users should be able to list the images, e.g. to check backup
> health via monitoring like reported in #5492 comment 3, with just an
> audit privilege.
> 
> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> ---
>  src/PVE/API2/Storage/Content.pm | 6 ------
>  1 file changed, 6 deletions(-)
> 
> diff --git a/src/PVE/API2/Storage/Content.pm b/src/PVE/API2/Storage/Content.pm
> index 1fe7303..c1f9a1f 100644
> --- a/src/PVE/API2/Storage/Content.pm
> +++ b/src/PVE/API2/Storage/Content.pm
> @@ -154,12 +154,6 @@ __PACKAGE__->register_method({
>  
>          my $res = [];
>          foreach my $item (@$vollist) {
> -            eval {
> -                PVE::Storage::check_volume_access(
> -                    $rpcenv, $authuser, $cfg, undef, $item->{volid},
> -                );
> -            };
> -            next if $@;

the data here also contains things like the notes content for that
volume, which might be sensitive..

should we maybe limit the returned information if there is no volume
access? e.g., just return volid, format, type, owner, and size
information?

>              $item->{vmid} = int($item->{vmid}) if defined($item->{vmid});
>              $item->{size} = int($item->{size}) if defined($item->{size});
>              $item->{used} = int($item->{used}) if defined($item->{used});
> -- 
> 2.47.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH storage] close #5492: api: content: allow listing volumes with Datastore.Audit privilege

[Fiona Ebner]

Am 30.07.25 um 3:11 PM schrieb Fabian Grünbichler:
> On July 18, 2025 5:03 pm, Fiona Ebner wrote:
>> The check_volume_access() method is for checking read access to a
>> volume. Users should be able to list the images, e.g. to check backup
>> health via monitoring like reported in #5492 comment 3, with just an
>> audit privilege.
>>
>> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
>> ---
>>  src/PVE/API2/Storage/Content.pm | 6 ------
>>  1 file changed, 6 deletions(-)
>>
>> diff --git a/src/PVE/API2/Storage/Content.pm b/src/PVE/API2/Storage/Content.pm
>> index 1fe7303..c1f9a1f 100644
>> --- a/src/PVE/API2/Storage/Content.pm
>> +++ b/src/PVE/API2/Storage/Content.pm
>> @@ -154,12 +154,6 @@ __PACKAGE__->register_method({
>>  
>>          my $res = [];
>>          foreach my $item (@$vollist) {
>> -            eval {
>> -                PVE::Storage::check_volume_access(
>> -                    $rpcenv, $authuser, $cfg, undef, $item->{volid},
>> -                );
>> -            };
>> -            next if $@;
> 
> the data here also contains things like the notes content for that
> volume, which might be sensitive..
> 
> should we maybe limit the returned information if there is no volume
> access? e.g., just return volid, format, type, owner, and size
> information?

Good catch! But should information like 'verification', 'protected',
'encrypted' really be limited as well (maybe mapping a fingerprint to
just 1 and updating the docs)? The feature request is precisely for
backup monitoring, where those would be important. 'parent' and 'ctime'
seem also useful for auditing a storage.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH storage] close #5492: api: content: allow listing volumes with Datastore.Audit privilege

[Fabian Grünbichler]

On July 30, 2025 4:20 pm, Fiona Ebner wrote:
> Am 30.07.25 um 3:11 PM schrieb Fabian Grünbichler:
>> On July 18, 2025 5:03 pm, Fiona Ebner wrote:
>>> The check_volume_access() method is for checking read access to a
>>> volume. Users should be able to list the images, e.g. to check backup
>>> health via monitoring like reported in #5492 comment 3, with just an
>>> audit privilege.
>>>
>>> Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
>>> ---
>>>  src/PVE/API2/Storage/Content.pm | 6 ------
>>>  1 file changed, 6 deletions(-)
>>>
>>> diff --git a/src/PVE/API2/Storage/Content.pm b/src/PVE/API2/Storage/Content.pm
>>> index 1fe7303..c1f9a1f 100644
>>> --- a/src/PVE/API2/Storage/Content.pm
>>> +++ b/src/PVE/API2/Storage/Content.pm
>>> @@ -154,12 +154,6 @@ __PACKAGE__->register_method({
>>>  
>>>          my $res = [];
>>>          foreach my $item (@$vollist) {
>>> -            eval {
>>> -                PVE::Storage::check_volume_access(
>>> -                    $rpcenv, $authuser, $cfg, undef, $item->{volid},
>>> -                );
>>> -            };
>>> -            next if $@;
>> 
>> the data here also contains things like the notes content for that
>> volume, which might be sensitive..
>> 
>> should we maybe limit the returned information if there is no volume
>> access? e.g., just return volid, format, type, owner, and size
>> information?
> 
> Good catch! But should information like 'verification', 'protected',
> 'encrypted' really be limited as well (maybe mapping a fingerprint to
> just 1 and updating the docs)? The feature request is precisely for
> backup monitoring, where those would be important. 'parent' and 'ctime'
> seem also useful for auditing a storage.

yes, probably we should take a look at all the returned members and make
a list of allowed-for-audit-purposes and drop the rest.


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel