From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id A66DB1FF16F for ; Tue, 15 Oct 2024 15:50:42 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id ABF0B16AC3; Tue, 15 Oct 2024 15:51:14 +0200 (CEST) From: Lukas Wagner To: pbs-devel@lists.proxmox.com Date: Tue, 15 Oct 2024 15:50:28 +0200 Message-Id: <20241015135028.214111-1-l.wagner@proxmox.com> X-Mailer: git-send-email 2.39.5 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.009 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [metrics.rs] Subject: [pbs-devel] [PATCH proxmox-backup] api: metrics: check permissions before reading any data from the cache X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" Reading from the metric cache is somewhat expensive, so validate as many of the required permissions as possible. For host metrics, we can do the full check in advance. For datastores, we check if we have audit permissions for *any* datastore. If we do not have privs for either of those, we return early and avoid reading from the cache altogether. Signed-off-by: Lukas Wagner Suggested-by: Wolfgang Bumiller --- src/api2/status/metrics.rs | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/src/api2/status/metrics.rs b/src/api2/status/metrics.rs index b8aaceeb..a0004ef9 100644 --- a/src/api2/status/metrics.rs +++ b/src/api2/status/metrics.rs @@ -37,6 +37,25 @@ pub fn get_metrics( let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; let user_info = CachedUserInfo::new()?; + let has_any_datastore_audit_privs = + user_info.any_privs_below(&auth_id, &["datastore"], PRIV_DATASTORE_AUDIT)?; + + let has_host_audit_privs = + (CachedUserInfo::lookup_privs(&user_info, &auth_id, &["system", "status"]) + & PRIV_SYS_AUDIT) + != 0; + + if !has_any_datastore_audit_privs && !has_host_audit_privs { + // The `pull_metrics::get_*` calls are expensive, so + // check early if the current user has sufficient privileges to read *any* + // metric data. + // For datastores, we do not yet know for which individual datastores + // we have metrics in the cache, so we just check if we have + // audit permissions for *any* datastore and filter after + // reading the data. + return Ok(Metrics { data: Vec::new() }); + } + let metrics = if history { pull_metrics::get_all_metrics(start_time)? } else { @@ -46,11 +65,10 @@ pub fn get_metrics( let filter_by_privs = |point: &MetricDataPoint| { let id = point.id.as_str(); if id == "host" { - let user_privs = - CachedUserInfo::lookup_privs(&user_info, &auth_id, &["system", "status"]); - return (user_privs & PRIV_SYS_AUDIT) != 0; + return has_host_audit_privs; } else if let Some(datastore_id) = id.strip_prefix("datastore/") { if !datastore_id.contains('/') { + // Now, check whether we have permissions for the individual datastore let user_privs = CachedUserInfo::lookup_privs( &user_info, &auth_id, -- 2.39.5 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel