From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id A66DB1FF16F
	for <inbox@lore.proxmox.com>; Tue, 15 Oct 2024 15:50:42 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id ABF0B16AC3;
	Tue, 15 Oct 2024 15:51:14 +0200 (CEST)
From: Lukas Wagner <l.wagner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Tue, 15 Oct 2024 15:50:28 +0200
Message-Id: <20241015135028.214111-1-l.wagner@proxmox.com>
X-Mailer: git-send-email 2.39.5
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.009 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [metrics.rs]
Subject: [pbs-devel] [PATCH proxmox-backup] api: metrics: check permissions
 before reading any data from the cache
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Backup Server development discussion
 <pbs-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pbs-devel-bounces@lists.proxmox.com
Sender: "pbs-devel" <pbs-devel-bounces@lists.proxmox.com>

Reading from the metric cache is somewhat expensive, so validate as many
of the required permissions as possible. For host metrics, we can
do the full check in advance. For datastores, we check if we have
audit permissions for *any* datastore. If we do not have privs for
either of those, we return early and avoid reading from the
cache altogether.

Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
Suggested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/api2/status/metrics.rs | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/api2/status/metrics.rs b/src/api2/status/metrics.rs
index b8aaceeb..a0004ef9 100644
--- a/src/api2/status/metrics.rs
+++ b/src/api2/status/metrics.rs
@@ -37,6 +37,25 @@ pub fn get_metrics(
     let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
     let user_info = CachedUserInfo::new()?;
 
+    let has_any_datastore_audit_privs =
+        user_info.any_privs_below(&auth_id, &["datastore"], PRIV_DATASTORE_AUDIT)?;
+
+    let has_host_audit_privs =
+        (CachedUserInfo::lookup_privs(&user_info, &auth_id, &["system", "status"])
+            & PRIV_SYS_AUDIT)
+            != 0;
+
+    if !has_any_datastore_audit_privs && !has_host_audit_privs {
+        // The `pull_metrics::get_*` calls are expensive, so
+        // check early if the current user has sufficient privileges to read *any*
+        // metric data.
+        // For datastores, we do not yet know for which individual datastores
+        // we have metrics in the cache, so we just check if we have
+        // audit permissions for *any* datastore and filter after
+        // reading the data.
+        return Ok(Metrics { data: Vec::new() });
+    }
+
     let metrics = if history {
         pull_metrics::get_all_metrics(start_time)?
     } else {
@@ -46,11 +65,10 @@ pub fn get_metrics(
     let filter_by_privs = |point: &MetricDataPoint| {
         let id = point.id.as_str();
         if id == "host" {
-            let user_privs =
-                CachedUserInfo::lookup_privs(&user_info, &auth_id, &["system", "status"]);
-            return (user_privs & PRIV_SYS_AUDIT) != 0;
+            return has_host_audit_privs;
         } else if let Some(datastore_id) = id.strip_prefix("datastore/") {
             if !datastore_id.contains('/') {
+                // Now, check whether we have permissions for the individual datastore
                 let user_privs = CachedUserInfo::lookup_privs(
                     &user_info,
                     &auth_id,
-- 
2.39.5



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel