* [pve-devel] SPAM: [PATCH-SERIES access-contorl/manager] fix #3402: add Pool.Audit permission
@ 2021-04-29 9:48 Lorenz Stechauner
2021-04-29 9:48 ` [pve-devel] [PATCH access-control 1/1] " Lorenz Stechauner
2021-04-29 9:49 ` [pve-devel] [PATCH manager " Lorenz Stechauner
0 siblings, 2 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-04-29 9:48 UTC (permalink / raw)
To: pve-devel
Lorenz Stechauner (2):
fix #3402: add Pool.Audit permission
PVE/API2/Cluster.pm | 2 +-
PVE/API2/Pool.pm | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
fix #3402: add Pool.Audit permission
PVE/AccessControl.pm | 8 ++++++--
README | 1 +
2 files changed, 7 insertions(+), 2 deletions(-)
--
2.20.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH access-control 1/1] fix #3402: add Pool.Audit permission
2021-04-29 9:48 [pve-devel] SPAM: [PATCH-SERIES access-contorl/manager] fix #3402: add Pool.Audit permission Lorenz Stechauner
@ 2021-04-29 9:48 ` Lorenz Stechauner
2021-04-30 11:27 ` Fabian Grünbichler
2021-04-29 9:49 ` [pve-devel] [PATCH manager " Lorenz Stechauner
1 sibling, 1 reply; 5+ messages in thread
From: Lorenz Stechauner @ 2021-04-29 9:48 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
PVE/AccessControl.pm | 8 ++++++--
README | 1 +
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index f7d4e78..888875e 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -819,8 +819,12 @@ my $privgroups = {
admin => [
'Pool.Allocate', # create/delete pools
],
- user => [],
- audit => [],
+ user => [
+ 'Pool.Audit',
+ ],
+ audit => [
+ 'Pool.Audit',
+ ],
},
};
diff --git a/README b/README
index 33643a6..698b7a8 100644
--- a/README
+++ b/README
@@ -96,6 +96,7 @@ privileges:
VM.Config.Options: modify any other VM configuration
Pool.Allocate: create/remove/modify a pool.
+ Pool.Audit: view/browse pool
Datastore.Allocate: create/remove/modify a data store.
Datastore.AllocateSpace: allocate space on a datastore
--
2.20.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH manager 1/1] fix #3402: add Pool.Audit permission
2021-04-29 9:48 [pve-devel] SPAM: [PATCH-SERIES access-contorl/manager] fix #3402: add Pool.Audit permission Lorenz Stechauner
2021-04-29 9:48 ` [pve-devel] [PATCH access-control 1/1] " Lorenz Stechauner
@ 2021-04-29 9:49 ` Lorenz Stechauner
2021-04-30 11:27 ` Fabian Grünbichler
1 sibling, 1 reply; 5+ messages in thread
From: Lorenz Stechauner @ 2021-04-29 9:49 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
PVE/API2/Cluster.pm | 2 +-
PVE/API2/Pool.pm | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
index ab5b28a1..ace5b5b1 100644
--- a/PVE/API2/Cluster.pm
+++ b/PVE/API2/Cluster.pm
@@ -332,7 +332,7 @@ __PACKAGE__->register_method({
for my $pool (sort keys %{$usercfg->{pools}}) {
my $d = $usercfg->{pools}->{$pool};
- next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
+ next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
my $entry = {
id => "/pool/$pool",
diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm
index 567c7e8d..6ef981fb 100644
--- a/PVE/API2/Pool.pm
+++ b/PVE/API2/Pool.pm
@@ -23,7 +23,7 @@ __PACKAGE__->register_method ({
method => 'GET',
description => "Pool index.",
permissions => {
- description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.",
+ description => "List all pools where you have Pool.Audit or VM.Allocate permissions on /pool/<pool>.",
user => 'all',
},
parameters => {
@@ -51,7 +51,7 @@ __PACKAGE__->register_method ({
my $usercfg = $rpcenv->{user_cfg};
foreach my $pool (keys %{$usercfg->{pools}}) {
- next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1);
+ next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Audit', 'VM.Allocate' ], 1);
my $entry = { poolid => $pool };
my $data = $usercfg->{pools}->{$pool};
@@ -202,7 +202,7 @@ __PACKAGE__->register_method ({
path => '{poolid}',
method => 'GET',
permissions => {
- check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
+ check => ['perm', '/pool/{poolid}', ['Pool.Audit']],
},
description => "Get pool configuration.",
parameters => {
--
2.20.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH access-control 1/1] fix #3402: add Pool.Audit permission
2021-04-29 9:48 ` [pve-devel] [PATCH access-control 1/1] " Lorenz Stechauner
@ 2021-04-30 11:27 ` Fabian Grünbichler
0 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2021-04-30 11:27 UTC (permalink / raw)
To: Proxmox VE development discussion
On April 29, 2021 11:48 am, Lorenz Stechauner wrote:
> Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
> ---
> PVE/AccessControl.pm | 8 ++++++--
> README | 1 +
> 2 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
> index f7d4e78..888875e 100644
> --- a/PVE/AccessControl.pm
> +++ b/PVE/AccessControl.pm
> @@ -819,8 +819,12 @@ my $privgroups = {
> admin => [
> 'Pool.Allocate', # create/delete pools
> ],
> - user => [],
> - audit => [],
> + user => [
> + 'Pool.Audit',
> + ],
this hunk actually causes a new built-in "PVEUser" role to be defined..
I am not sure whether it's worth it (probably PVEAuditor already serves
that niche for almost all use-cases). but if we include it, then this
requires a pve-docs patch as well ;) users might also already have a
custom role named like that, so potentially defer to 7.0 as breaking
change?
> + audit => [
> + 'Pool.Audit',
> + ],
> },
> };
>
> diff --git a/README b/README
> index 33643a6..698b7a8 100644
> --- a/README
> +++ b/README
> @@ -96,6 +96,7 @@ privileges:
> VM.Config.Options: modify any other VM configuration
>
> Pool.Allocate: create/remove/modify a pool.
> + Pool.Audit: view/browse pool
>
> Datastore.Allocate: create/remove/modify a data store.
> Datastore.AllocateSpace: allocate space on a datastore
> --
> 2.20.1
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH manager 1/1] fix #3402: add Pool.Audit permission
2021-04-29 9:49 ` [pve-devel] [PATCH manager " Lorenz Stechauner
@ 2021-04-30 11:27 ` Fabian Grünbichler
0 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2021-04-30 11:27 UTC (permalink / raw)
To: Proxmox VE development discussion
On April 29, 2021 11:49 am, Lorenz Stechauner wrote:
> Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
> ---
> PVE/API2/Cluster.pm | 2 +-
> PVE/API2/Pool.pm | 6 +++---
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
> index ab5b28a1..ace5b5b1 100644
> --- a/PVE/API2/Cluster.pm
> +++ b/PVE/API2/Cluster.pm
> @@ -332,7 +332,7 @@ __PACKAGE__->register_method({
> for my $pool (sort keys %{$usercfg->{pools}}) {
> my $d = $usercfg->{pools}->{$pool};
>
> - next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
> + next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
>
> my $entry = {
> id => "/pool/$pool",
> diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm
> index 567c7e8d..6ef981fb 100644
> --- a/PVE/API2/Pool.pm
> +++ b/PVE/API2/Pool.pm
> @@ -23,7 +23,7 @@ __PACKAGE__->register_method ({
> method => 'GET',
> description => "Pool index.",
> permissions => {
> - description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.",
> + description => "List all pools where you have Pool.Audit or VM.Allocate permissions on /pool/<pool>.",
for backwards-compat we need to still accept Pool.Allocate as well
there might be custom roles out there that have Pool.Allocate, those
would now not be able to see their pool anymore unless they happen to
have VM.Allocate on that pool as well which is not a given.
we could drop Pool.Allocate for 7.0 if we want to break compat at that
point..
> user => 'all',
> },
> parameters => {
> @@ -51,7 +51,7 @@ __PACKAGE__->register_method ({
> my $usercfg = $rpcenv->{user_cfg};
>
> foreach my $pool (keys %{$usercfg->{pools}}) {
> - next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1);
> + next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Audit', 'VM.Allocate' ], 1);
which means this has to be changed
>
> my $entry = { poolid => $pool };
> my $data = $usercfg->{pools}->{$pool};
> @@ -202,7 +202,7 @@ __PACKAGE__->register_method ({
> path => '{poolid}',
> method => 'GET',
> permissions => {
> - check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
> + check => ['perm', '/pool/{poolid}', ['Pool.Audit']],
same here
> },
> description => "Get pool configuration.",
> parameters => {
> --
> 2.20.1
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-04-30 11:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-29 9:48 [pve-devel] SPAM: [PATCH-SERIES access-contorl/manager] fix #3402: add Pool.Audit permission Lorenz Stechauner
2021-04-29 9:48 ` [pve-devel] [PATCH access-control 1/1] " Lorenz Stechauner
2021-04-30 11:27 ` Fabian Grünbichler
2021-04-29 9:49 ` [pve-devel] [PATCH manager " Lorenz Stechauner
2021-04-30 11:27 ` Fabian Grünbichler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox