From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <h.duerr@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 261AE93A5B
 for <pve-devel@lists.proxmox.com>; Tue, 20 Feb 2024 16:51:28 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 07976A660
 for <pve-devel@lists.proxmox.com>; Tue, 20 Feb 2024 16:51:28 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Tue, 20 Feb 2024 16:51:26 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 393D143D05
 for <pve-devel@lists.proxmox.com>; Tue, 20 Feb 2024 16:51:26 +0100 (CET)
Message-ID: <c21498aa-bfdc-467f-bc5e-bc3caceb5ff0@proxmox.com>
Date: Tue, 20 Feb 2024 16:51:24 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
 Thomas Lamprecht <t.lamprecht@proxmox.com>
References: <20240219171412.1576651-1-t.lamprecht@proxmox.com>
Content-Language: en-US
From: =?UTF-8?Q?Hannes_D=C3=BCrr?= <h.duerr@proxmox.com>
In-Reply-To: <20240219171412.1576651-1-t.lamprecht@proxmox.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.121 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 POISEN_SPAM_PILL          0.1 Meta: its spam
 POISEN_SPAM_PILL_1        0.1 random spam to be learned in bayes
 POISEN_SPAM_PILL_3        0.1 random spam to be learned in bayes
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 T_SCC_BODY_TEXT_LINE    -0.01 -
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [nodes.pm, proxmox.com, status.pm, perm-test1.pl,
 accesscontrol.pm]
Subject: Re: [pve-devel] fix #5254: add separate Sys.AccessNetwork privilege
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2024 15:51:28 -0000

Tested the patch by

1.

* creating a role with 
'Datastore.Audit,Datastore.AllocateTemplate,Sys.AccessNetwork'

* creating a user with permission for specific {storage} and {node}

* downloading the iso via gui

2.

* creating a role with 'Datastore.AllocateTemplate,Sys.AccessNetwork'

* creating an API Token with permission for specific {storage} and {node}

* querying image via the endpoint nodes/{node}/query-url-metadata

* downloading the image via the endpoint 
nodes/{node}/storage/{storage}/download-url

Tested-by: Hannes Duerr <h.duerr@proxmox.com>


On 2/19/24 18:14, Thomas Lamprecht wrote:
> Adds a new Sys.AccessNetwork privilege that can be used to guard API
> endpoints that can do outgoing network requests with (some) user control
> over said requests, like e.g. the "download URL to storage" one.
>
> ## Backstory:
>
> This stems from an user request [0] w.r.t. the "download image through
> and URL directly to a storage" functionality and their use case of that
> through automation while wanting to adhere to the principle of least
> privilege.
>
> Because before this series the access to the required endpoints was
> guarded by the more powerful Sys.Modify and Sys.Audit privilege
> requirement on the / root ACL object path.
> So, if anybody wants to set up an API token so that automation can
> handle image downloads they'd need to give that API token very powerful
> permissions to make it work.
>
> A more specialized privilege seems warranted now, so add the
> Sys.AccessNetwork one and adapt the /nodes/{node}/query-url-metadata and
> the related /nodes/{node}/storage/{storage}/download-url API endpoints
> for now.
>
> ## Testing:
>
> Tested by creating a new custom role with the privileges
> `Datastore.Audit,Datastore.AllocateTemplate,Sys.AccessNetwork`, then
> created a user that gets a permission with above role for a specific
> node and a storage and then try querying and downloading an image, with
> and without this patch series applied.
>
> ## Future Work
>
> We could this even re-use for other endpoints, like adding storages that
> are accessed through the network, as that provides a (limited) side
> channel too.
>
> access-control:
>
> Thomas Lamprecht (1):
>        add Sys.AccessNetwork privilege
>
>   src/PVE/AccessControl.pm | 1 +
>   src/test/perm-test1.pl   | 2 +-
>   2 files changed, 2 insertions(+), 1 deletion(-)
>
> storage:
>
> Thomas Lamprecht (1):
>        fix #5254: api: allow usage of download-url with Sys.AccessNetwork
>
>   src/PVE/API2/Storage/Status.pm | 8 +++++++-
>   1 file changed, 7 insertions(+), 1 deletion(-)
>
> manager:
>
> Thomas Lamprecht (2):
>        api: nodes: allow usage of query url metadata with Sys.AccessNetwork
>        ui: storage: enable download-url button with Sys.AccessNetwork capability
>
>   PVE/API2/Nodes.pm               | 5 ++++-
>   www/manager6/storage/Browser.js | 5 ++++-
>   2 files changed, 8 insertions(+), 2 deletions(-)
>
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>