[pdm-devel] [PATCH datacenter-manager] fix #6794: api: allow non-root users to view stats on dashboard

[pdm-devel] [PATCH datacenter-manager] fix #6794: api: allow non-root users to view stats on dashboard

[Shan Shaji]

When a non-root user logged into PDM, the Top Entities section was
not visible, even though the required privileges had been assigned.

To fix it allow all authenticated users to access the `/top-entities`
endpoint. Also added explicit privilege checks to validate the access
on resources.

Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
 server/src/api/resources.rs                  | 23 ++++++++++++++++++--
 server/src/metric_collection/top_entities.rs |  5 +++++
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/server/src/api/resources.rs b/server/src/api/resources.rs
index ce05db1..4012353 100644
--- a/server/src/api/resources.rs
+++ b/server/src/api/resources.rs
@@ -475,6 +475,9 @@ pub async fn get_subscription_status(
 // FIXME: make timeframe and count parameters?
 // FIXME: permissions?
 #[api(
+    access: {
+        permission: &Permission::Anybody,
+    },
     input: {
         properties: {
             "timeframe": {
@@ -485,11 +488,27 @@ pub async fn get_subscription_status(
     },
 )]
 /// Returns the top X entities regarding the chosen type
-async fn get_top_entities(timeframe: Option<RrdTimeframe>) -> Result<TopEntities, Error> {
+async fn get_top_entities(
+    timeframe: Option<RrdTimeframe>,
+    rpcenv: &mut dyn RpcEnvironment,
+) -> Result<TopEntities, Error> {
+    let user_info = CachedUserInfo::new()?;
+    let auth_id: Authid = rpcenv
+        .get_auth_id()
+        .ok_or_else(|| format_err!("no authid available"))?
+        .parse()?;
+
+    if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? {
+        http_bail!(UNAUTHORIZED, "user has no access to resources");
+    }
+
     let (remotes_config, _) = pdm_config::remotes::config()?;
+    let check_remote_privs = |remote_name: &str| {
+        user_info.lookup_privs(&auth_id, &["resource", remote_name]) & PRIV_RESOURCE_AUDIT != 0
+    };
 
     let timeframe = timeframe.unwrap_or(RrdTimeframe::Day);
-    let res = top_entities::calculate_top(&remotes_config, timeframe, 10);
+    let res = top_entities::calculate_top(&remotes_config, timeframe, 10, check_remote_privs);
     Ok(res)
 }
 
diff --git a/server/src/metric_collection/top_entities.rs b/server/src/metric_collection/top_entities.rs
index 47fda24..990189a 100644
--- a/server/src/metric_collection/top_entities.rs
+++ b/server/src/metric_collection/top_entities.rs
@@ -36,12 +36,17 @@ pub fn calculate_top(
     remotes: &HashMap<String, pdm_api_types::remotes::Remote>,
     timeframe: proxmox_rrd_api_types::RrdTimeframe,
     num: usize,
+    check_remote_privs: impl Fn(&str) -> bool
 ) -> TopEntities {
     let mut guest_cpu = Vec::new();
     let mut node_cpu = Vec::new();
     let mut node_memory = Vec::new();
 
     for remote_name in remotes.keys() {
+        if !check_remote_privs(remote_name) {
+            continue;
+        }
+
         if let Some(data) =
             crate::api::resources::get_cached_resources(remote_name, i64::MAX as u64)
         {
-- 
2.47.2



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

Re: [pdm-devel] [PATCH datacenter-manager] fix #6794: api: allow non-root users to view stats on dashboard

[Shan Shaji]

Ping


_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

Re: [pdm-devel] [PATCH datacenter-manager] fix #6794: api: allow non-root users to view stats on dashboard

[Shannon Sterz]

On Fri Sep 19, 2025 at 5:11 PM CEST, Shan Shaji wrote:
> When a non-root user logged into PDM, the Top Entities section was
> not visible, even though the required privileges had been assigned.
>
> To fix it allow all authenticated users to access the `/top-entities`
> endpoint. Also added explicit privilege checks to validate the access
> on resources.
>

imo: mention that the returned top entities will be filter by the users
permissions based on what resources they have access to in the commit
message.

some nits and comments in-line.

> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
> ---
>  server/src/api/resources.rs                  | 23 ++++++++++++++++++--
>  server/src/metric_collection/top_entities.rs |  5 +++++
>  2 files changed, 26 insertions(+), 2 deletions(-)
>
> diff --git a/server/src/api/resources.rs b/server/src/api/resources.rs
> index ce05db1..4012353 100644
> --- a/server/src/api/resources.rs
> +++ b/server/src/api/resources.rs
> @@ -475,6 +475,9 @@ pub async fn get_subscription_status(
>  // FIXME: make timeframe and count parameters?
>  // FIXME: permissions?

nit: remove this fixme while you are at it :)

>  #[api(
> +    access: {
> +        permission: &Permission::Anybody,
> +    },

nit: typically we have the `access` portion toward the end of the api
macro. would be nice to have this here too for consistency but no
blocker.

however, it would be nice to add a description here that users need to
have permissions to at least some resource under `/resources` for this
api endpoint not to bail with an UNAUTHORIZED error. and also that the
results will be filtered by resources that a user has access too. so
something like this maybe:

The user needs to have at least `PRIV_RESOURCE_AUDIT` on one resources
under `/resource`. Only resources for which the user has
`PRIV_RESOURCE_AUDIT` on `/resource/{remote_name} will be considered
when calculating the top entities.

>      input: {
>          properties: {
>              "timeframe": {
> @@ -485,11 +488,27 @@ pub async fn get_subscription_status(
>      },
>  )]
>  /// Returns the top X entities regarding the chosen type
> -async fn get_top_entities(timeframe: Option<RrdTimeframe>) -> Result<TopEntities, Error> {
> +async fn get_top_entities(
> +    timeframe: Option<RrdTimeframe>,
> +    rpcenv: &mut dyn RpcEnvironment,
> +) -> Result<TopEntities, Error> {
> +    let user_info = CachedUserInfo::new()?;
> +    let auth_id: Authid = rpcenv
> +        .get_auth_id()
> +        .ok_or_else(|| format_err!("no authid available"))?
> +        .parse()?;
> +
> +    if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? {
> +        http_bail!(UNAUTHORIZED, "user has no access to resources");

i know there is another endpoint like this in the same file, but we
usually use 403 ("Forbidden") when a user does not have sufficient
permissions and 401 ("Unauthorized") when there is no authentication at
all. imo it would be nice to keep that consistent, so this should be a
`FORBIDDEN`.

> +    }
> +
>      let (remotes_config, _) = pdm_config::remotes::config()?;
> +    let check_remote_privs = |remote_name: &str| {
> +        user_info.lookup_privs(&auth_id, &["resource", remote_name]) & PRIV_RESOURCE_AUDIT != 0
> +    };
>
>      let timeframe = timeframe.unwrap_or(RrdTimeframe::Day);
> -    let res = top_entities::calculate_top(&remotes_config, timeframe, 10);
> +    let res = top_entities::calculate_top(&remotes_config, timeframe, 10, check_remote_privs);
>      Ok(res)
>  }
>
> diff --git a/server/src/metric_collection/top_entities.rs b/server/src/metric_collection/top_entities.rs
> index 47fda24..990189a 100644
> --- a/server/src/metric_collection/top_entities.rs
> +++ b/server/src/metric_collection/top_entities.rs
> @@ -36,12 +36,17 @@ pub fn calculate_top(
>      remotes: &HashMap<String, pdm_api_types::remotes::Remote>,
>      timeframe: proxmox_rrd_api_types::RrdTimeframe,
>      num: usize,
> +    check_remote_privs: impl Fn(&str) -> bool
>  ) -> TopEntities {
>      let mut guest_cpu = Vec::new();
>      let mut node_cpu = Vec::new();
>      let mut node_memory = Vec::new();
>
>      for remote_name in remotes.keys() {
> +        if !check_remote_privs(remote_name) {
> +            continue;
> +        }
> +
>          if let Some(data) =
>              crate::api::resources::get_cached_resources(remote_name, i64::MAX as u64)
>          {

other than the comments above, consider this:

Reviewed-by: Shannon Sterz <s.sterz@proxmox.com>


_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

Re: [pdm-devel] [PATCH datacenter-manager] fix #6794: api: allow non-root users to view stats on dashboard

[Shan Shaji]

Thanks @Shannon for the comments. Will send v2 with the updated changes. 


_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

Re: [pdm-devel] [PATCH datacenter-manager] fix #6794: api: allow non-root users to view stats on dashboard

[Shan Shaji]

superseeded by v2: https://lore.proxmox.com/pdm-devel/20251007112801.277946-1-s.shaji@proxmox.com/T/#u


_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel