From: Shan Shaji <s.shaji@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH datacenter-manager 1/2] fix #6901: api: add permission checks for PBS rrd endpoints
Date: Fri, 10 Oct 2025 17:18:02 +0200 [thread overview]
Message-ID: <20251010151803.257519-2-s.shaji@proxmox.com> (raw)
In-Reply-To: <20251010151803.257519-1-s.shaji@proxmox.com>
When a non-root user tried to view the RRD data of the PBS node or
datastores, even with Administrator privileges, the API was
returning a "403: permission check failed" error. This occured
because the access property was not defined inside the `api` macro.
To fix the issue, a resource level permission check was added.
Now if a user has atleast the `Resource.Audit` permission, then they
can access the RRD data of the node and datastores.
Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
server/src/api/pbs/rrddata.rs | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/server/src/api/pbs/rrddata.rs b/server/src/api/pbs/rrddata.rs
index aa980d4..c8885de 100644
--- a/server/src/api/pbs/rrddata.rs
+++ b/server/src/api/pbs/rrddata.rs
@@ -2,8 +2,9 @@ use anyhow::Error;
use pdm_api_types::{
remotes::REMOTE_ID_SCHEMA,
rrddata::{PbsDatastoreDataPoint, PbsNodeDataPoint},
+ PRIV_RESOURCE_AUDIT,
};
-use proxmox_router::Router;
+use proxmox_router::{Permission, Router};
use proxmox_rrd_api_types::{RrdMode, RrdTimeframe};
use proxmox_schema::api;
use serde_json::Value;
@@ -100,6 +101,10 @@ impl DataPoint for PbsDatastoreDataPoint {
},
},
},
+ access: {
+ permission: &Permission::Privilege(&["resource", "{remote}"], PRIV_RESOURCE_AUDIT, false),
+ description: "The user needs to have atleast `Resource.Audit` privilege under `/resource`."
+ }
)]
/// Read PBS node stats
async fn get_pbs_node_rrd_data(
@@ -125,6 +130,10 @@ async fn get_pbs_node_rrd_data(
},
},
},
+ access: {
+ permission: &Permission::Privilege(&["resource", "{remote}", "datastore", "{datastore}"], PRIV_RESOURCE_AUDIT, false),
+ description: "The user needs to have atleast `Resource.Audit` privilege under `/resource`."
+ }
)]
/// Read PBS datastore stats
async fn get_pbs_datastore_rrd_data(
--
2.47.3
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply other threads:[~2025-10-10 15:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-10 15:18 [pdm-devel] [PATCH datacenter-manager 0/2] fix #6901: add explicit permissions for PBS status and RRD endpoints Shan Shaji
2025-10-10 15:18 ` Shan Shaji [this message]
2025-10-10 15:18 ` [pdm-devel] [PATCH datacenter-manager 2/2] fix #6901: api: remove `node` reference from templated privilege path Shan Shaji
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251010151803.257519-2-s.shaji@proxmox.com \
--to=s.shaji@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox