* [pbs-devel] [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD @ 2020-09-16 9:51 Fabian Grünbichler 2020-09-16 9:51 ` [pbs-devel] [PATCH proxmox-backup 2/2] always allow retrieving (censored) subscription info Fabian Grünbichler 2020-09-17 4:03 ` [pbs-devel] applied: [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD Dietmar Maurer 0 siblings, 2 replies; 4+ messages in thread From: Fabian Grünbichler @ 2020-09-16 9:51 UTC (permalink / raw) To: pbs-devel this is the same privilege needed to query the node status. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> --- src/api2/node/rrd.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/api2/node/rrd.rs b/src/api2/node/rrd.rs index 99881461..cc18f30e 100644 --- a/src/api2/node/rrd.rs +++ b/src/api2/node/rrd.rs @@ -1,9 +1,10 @@ use anyhow::Error; use serde_json::{Value, json}; -use proxmox::api::{api, Router}; +use proxmox::api::{api, Permission, Router}; use crate::api2::types::*; +use crate::config::acl::PRIV_SYS_AUDIT; use crate::rrd::{extract_cached_data, RRD_DATA_ENTRIES}; pub fn create_value_from_rrd( @@ -56,6 +57,9 @@ pub fn create_value_from_rrd( }, }, }, + access: { + permission: &Permission::Privilege(&["system", "status"], PRIV_SYS_AUDIT, false), + }, )] /// Read node stats fn get_node_stats( -- 2.20.1 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [pbs-devel] [PATCH proxmox-backup 2/2] always allow retrieving (censored) subscription info 2020-09-16 9:51 [pbs-devel] [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD Fabian Grünbichler @ 2020-09-16 9:51 ` Fabian Grünbichler 2020-09-17 4:04 ` [pbs-devel] applied: " Dietmar Maurer 2020-09-17 4:03 ` [pbs-devel] applied: [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD Dietmar Maurer 1 sibling, 1 reply; 4+ messages in thread From: Fabian Grünbichler @ 2020-09-16 9:51 UTC (permalink / raw) To: pbs-devel like we do for PVE. this is visible on the dashboard, and caused 403 on each update which bothers me when looking at the dev console. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> --- Notes: this will need more work once we actually introduce subscription keys, but seems good enough for now.. src/api2/node/subscription.rs | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/src/api2/node/subscription.rs b/src/api2/node/subscription.rs index 186019cb..f8b14187 100644 --- a/src/api2/node/subscription.rs +++ b/src/api2/node/subscription.rs @@ -1,11 +1,12 @@ use anyhow::{Error}; use serde_json::{json, Value}; -use proxmox::api::{api, Router, Permission}; +use proxmox::api::{api, Router, RpcEnvironment, Permission}; use crate::tools; use crate::config::acl::PRIV_SYS_AUDIT; -use crate::api2::types::NODE_SCHEMA; +use crate::config::cached_user_info::CachedUserInfo; +use crate::api2::types::{NODE_SCHEMA, Userid}; #[api( input: { @@ -28,7 +29,7 @@ use crate::api2::types::NODE_SCHEMA; }, serverid: { type: String, - description: "The unique server ID.", + description: "The unique server ID, if permitted to access.", }, url: { type: String, @@ -37,18 +38,29 @@ use crate::api2::types::NODE_SCHEMA; }, }, access: { - permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false), + permission: &Permission::Anybody, }, )] /// Read subscription info. -fn get_subscription(_param: Value) -> Result<Value, Error> { +fn get_subscription( + _param: Value, + rpcenv: &mut dyn RpcEnvironment, +) -> Result<Value, Error> { + let userid: Userid = rpcenv.get_user().unwrap().parse()?; + let user_info = CachedUserInfo::new()?; + let user_privs = user_info.lookup_privs(&userid, &[]); + let server_id = if (user_privs & PRIV_SYS_AUDIT) != 0 { + tools::get_hardware_address()? + } else { + "hidden".to_string() + }; let url = "https://www.proxmox.com/en/proxmox-backup-server/pricing"; Ok(json!({ "status": "NotFound", - "message": "There is no subscription key", - "serverid": tools::get_hardware_address()?, - "url": url, + "message": "There is no subscription key", + "serverid": server_id, + "url": url, })) } -- 2.20.1 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [pbs-devel] applied: [PATCH proxmox-backup 2/2] always allow retrieving (censored) subscription info 2020-09-16 9:51 ` [pbs-devel] [PATCH proxmox-backup 2/2] always allow retrieving (censored) subscription info Fabian Grünbichler @ 2020-09-17 4:04 ` Dietmar Maurer 0 siblings, 0 replies; 4+ messages in thread From: Dietmar Maurer @ 2020-09-17 4:04 UTC (permalink / raw) To: Proxmox Backup Server development discussion, Fabian Grünbichler applied ^ permalink raw reply [flat|nested] 4+ messages in thread
* [pbs-devel] applied: [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD 2020-09-16 9:51 [pbs-devel] [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD Fabian Grünbichler 2020-09-16 9:51 ` [pbs-devel] [PATCH proxmox-backup 2/2] always allow retrieving (censored) subscription info Fabian Grünbichler @ 2020-09-17 4:03 ` Dietmar Maurer 1 sibling, 0 replies; 4+ messages in thread From: Dietmar Maurer @ 2020-09-17 4:03 UTC (permalink / raw) To: Proxmox Backup Server development discussion, Fabian Grünbichler applied ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-09-17 4:04 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-09-16 9:51 [pbs-devel] [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD Fabian Grünbichler 2020-09-16 9:51 ` [pbs-devel] [PATCH proxmox-backup 2/2] always allow retrieving (censored) subscription info Fabian Grünbichler 2020-09-17 4:04 ` [pbs-devel] applied: " Dietmar Maurer 2020-09-17 4:03 ` [pbs-devel] applied: [PATCH proxmox-backup 1/2] fix #2957: allow Sys.Audit access to node RRD Dietmar Maurer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox