From: Fiona Ebner <f.ebner@proxmox.com>
To: Daniel Kral <d.kral@proxmox.com>,
Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH access-control] api: role: remove role references from acl rules on role deletion
Date: Wed, 5 Feb 2025 11:00:55 +0100 [thread overview]
Message-ID: <c318b880-3b24-4759-b736-e9c05e4e0be3@proxmox.com> (raw)
In-Reply-To: <5448e8a5-db8c-4745-aab8-3d613c5d95f7@proxmox.com>
Am 05.02.25 um 10:21 schrieb Daniel Kral:
> On 2/3/25 12:49, Fiona Ebner wrote:
>> Am 04.12.24 um 16:11 schrieb Daniel Kral:
>>> Let the API endpoint `DELETE /access/roles/{roleid}` or command
>>> `pveum role delete <roleid>` remove any ACL rules in the user
>>> configuration, which reference the removed role.
>>>
>>> Before this change, the removal of a role has caused the role to remain
>>> in existing ACL rules, which referenced the removed role. Therefore, on
>>> each parse of the user configuration, a warning was be displayed:
>>>
>>> user config - ignore invalid acl role '<role>'
>>>
>>
>> Might be good to note that the next modification of the configuration
>> would drop the unknown role (even if a role with the same name is
>> re-added right away).
>
> Thanks, will mention that in the v2!
>
> Just for clarification, what could be an/the use case of deleting and
> re-adding the role? It could be certainly beneficial to add a small
> reminder in the WebUI, that removing a user/group/role will also delete
> its dependents.
Could happen by accident, or could just be the want to use a new role
with the same name for something (slightly) different. But I mentioned
this, because one could suspect that re-adding right away could be a
scenario where the left-overs from the deleted role are not dropped. And
a new role starting out with ACLs from a previous one would be
surprising and have security-critical implications. It's not the case
however, the left-overs are dropped even then.
Still, if you ever suspect you came across something with security
implications, best to contact a member of the security team, or you can
also just use the standard channels:
https://pve.proxmox.com/wiki/Security_Reporting )
>
> On 2/3/25 12:49, Fiona Ebner wrote:
>> What would be really nice is to have some tests for various
>> add/modify/delete sequences touching user.cfg :) I don't think current
>> tests cover that yet.
>
> I'll gladly provide these with a v2 to document the changes and also
> just enforce this behavior in the future :).
Great!
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
prev parent reply other threads:[~2025-02-05 10:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-04 15:11 Daniel Kral
2025-02-03 11:49 ` Fiona Ebner
2025-02-05 9:21 ` Daniel Kral
2025-02-05 10:00 ` Fiona Ebner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c318b880-3b24-4759-b736-e9c05e4e0be3@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=d.kral@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal