* [pve-devel] SPAM: [PATCH-SERIES access-contorl/manager] fix #3402: add Pool.Audit permission @ 2021-04-29 9:48 Lorenz Stechauner 2021-04-29 9:48 ` [pve-devel] [PATCH access-control 1/1] " Lorenz Stechauner 2021-04-29 9:49 ` [pve-devel] [PATCH manager " Lorenz Stechauner 0 siblings, 2 replies; 5+ messages in thread From: Lorenz Stechauner @ 2021-04-29 9:48 UTC (permalink / raw) To: pve-devel Lorenz Stechauner (2): fix #3402: add Pool.Audit permission PVE/API2/Cluster.pm | 2 +- PVE/API2/Pool.pm | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) fix #3402: add Pool.Audit permission PVE/AccessControl.pm | 8 ++++++-- README | 1 + 2 files changed, 7 insertions(+), 2 deletions(-) -- 2.20.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH access-control 1/1] fix #3402: add Pool.Audit permission 2021-04-29 9:48 [pve-devel] SPAM: [PATCH-SERIES access-contorl/manager] fix #3402: add Pool.Audit permission Lorenz Stechauner @ 2021-04-29 9:48 ` Lorenz Stechauner 2021-04-30 11:27 ` Fabian Grünbichler 2021-04-29 9:49 ` [pve-devel] [PATCH manager " Lorenz Stechauner 1 sibling, 1 reply; 5+ messages in thread From: Lorenz Stechauner @ 2021-04-29 9:48 UTC (permalink / raw) To: pve-devel Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com> --- PVE/AccessControl.pm | 8 ++++++-- README | 1 + 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index f7d4e78..888875e 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -819,8 +819,12 @@ my $privgroups = { admin => [ 'Pool.Allocate', # create/delete pools ], - user => [], - audit => [], + user => [ + 'Pool.Audit', + ], + audit => [ + 'Pool.Audit', + ], }, }; diff --git a/README b/README index 33643a6..698b7a8 100644 --- a/README +++ b/README @@ -96,6 +96,7 @@ privileges: VM.Config.Options: modify any other VM configuration Pool.Allocate: create/remove/modify a pool. + Pool.Audit: view/browse pool Datastore.Allocate: create/remove/modify a data store. Datastore.AllocateSpace: allocate space on a datastore -- 2.20.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH access-control 1/1] fix #3402: add Pool.Audit permission 2021-04-29 9:48 ` [pve-devel] [PATCH access-control 1/1] " Lorenz Stechauner @ 2021-04-30 11:27 ` Fabian Grünbichler 0 siblings, 0 replies; 5+ messages in thread From: Fabian Grünbichler @ 2021-04-30 11:27 UTC (permalink / raw) To: Proxmox VE development discussion On April 29, 2021 11:48 am, Lorenz Stechauner wrote: > Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com> > --- > PVE/AccessControl.pm | 8 ++++++-- > README | 1 + > 2 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm > index f7d4e78..888875e 100644 > --- a/PVE/AccessControl.pm > +++ b/PVE/AccessControl.pm > @@ -819,8 +819,12 @@ my $privgroups = { > admin => [ > 'Pool.Allocate', # create/delete pools > ], > - user => [], > - audit => [], > + user => [ > + 'Pool.Audit', > + ], this hunk actually causes a new built-in "PVEUser" role to be defined.. I am not sure whether it's worth it (probably PVEAuditor already serves that niche for almost all use-cases). but if we include it, then this requires a pve-docs patch as well ;) users might also already have a custom role named like that, so potentially defer to 7.0 as breaking change? > + audit => [ > + 'Pool.Audit', > + ], > }, > }; > > diff --git a/README b/README > index 33643a6..698b7a8 100644 > --- a/README > +++ b/README > @@ -96,6 +96,7 @@ privileges: > VM.Config.Options: modify any other VM configuration > > Pool.Allocate: create/remove/modify a pool. > + Pool.Audit: view/browse pool > > Datastore.Allocate: create/remove/modify a data store. > Datastore.AllocateSpace: allocate space on a datastore > -- > 2.20.1 > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > > ^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH manager 1/1] fix #3402: add Pool.Audit permission 2021-04-29 9:48 [pve-devel] SPAM: [PATCH-SERIES access-contorl/manager] fix #3402: add Pool.Audit permission Lorenz Stechauner 2021-04-29 9:48 ` [pve-devel] [PATCH access-control 1/1] " Lorenz Stechauner @ 2021-04-29 9:49 ` Lorenz Stechauner 2021-04-30 11:27 ` Fabian Grünbichler 1 sibling, 1 reply; 5+ messages in thread From: Lorenz Stechauner @ 2021-04-29 9:49 UTC (permalink / raw) To: pve-devel Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com> --- PVE/API2/Cluster.pm | 2 +- PVE/API2/Pool.pm | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm index ab5b28a1..ace5b5b1 100644 --- a/PVE/API2/Cluster.pm +++ b/PVE/API2/Cluster.pm @@ -332,7 +332,7 @@ __PACKAGE__->register_method({ for my $pool (sort keys %{$usercfg->{pools}}) { my $d = $usercfg->{pools}->{$pool}; - next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1); + next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1); my $entry = { id => "/pool/$pool", diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm index 567c7e8d..6ef981fb 100644 --- a/PVE/API2/Pool.pm +++ b/PVE/API2/Pool.pm @@ -23,7 +23,7 @@ __PACKAGE__->register_method ({ method => 'GET', description => "Pool index.", permissions => { - description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.", + description => "List all pools where you have Pool.Audit or VM.Allocate permissions on /pool/<pool>.", user => 'all', }, parameters => { @@ -51,7 +51,7 @@ __PACKAGE__->register_method ({ my $usercfg = $rpcenv->{user_cfg}; foreach my $pool (keys %{$usercfg->{pools}}) { - next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1); + next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Audit', 'VM.Allocate' ], 1); my $entry = { poolid => $pool }; my $data = $usercfg->{pools}->{$pool}; @@ -202,7 +202,7 @@ __PACKAGE__->register_method ({ path => '{poolid}', method => 'GET', permissions => { - check => ['perm', '/pool/{poolid}', ['Pool.Allocate']], + check => ['perm', '/pool/{poolid}', ['Pool.Audit']], }, description => "Get pool configuration.", parameters => { -- 2.20.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH manager 1/1] fix #3402: add Pool.Audit permission 2021-04-29 9:49 ` [pve-devel] [PATCH manager " Lorenz Stechauner @ 2021-04-30 11:27 ` Fabian Grünbichler 0 siblings, 0 replies; 5+ messages in thread From: Fabian Grünbichler @ 2021-04-30 11:27 UTC (permalink / raw) To: Proxmox VE development discussion On April 29, 2021 11:49 am, Lorenz Stechauner wrote: > Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com> > --- > PVE/API2/Cluster.pm | 2 +- > PVE/API2/Pool.pm | 6 +++--- > 2 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm > index ab5b28a1..ace5b5b1 100644 > --- a/PVE/API2/Cluster.pm > +++ b/PVE/API2/Cluster.pm > @@ -332,7 +332,7 @@ __PACKAGE__->register_method({ > for my $pool (sort keys %{$usercfg->{pools}}) { > my $d = $usercfg->{pools}->{$pool}; > > - next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1); > + next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1); > > my $entry = { > id => "/pool/$pool", > diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm > index 567c7e8d..6ef981fb 100644 > --- a/PVE/API2/Pool.pm > +++ b/PVE/API2/Pool.pm > @@ -23,7 +23,7 @@ __PACKAGE__->register_method ({ > method => 'GET', > description => "Pool index.", > permissions => { > - description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.", > + description => "List all pools where you have Pool.Audit or VM.Allocate permissions on /pool/<pool>.", for backwards-compat we need to still accept Pool.Allocate as well there might be custom roles out there that have Pool.Allocate, those would now not be able to see their pool anymore unless they happen to have VM.Allocate on that pool as well which is not a given. we could drop Pool.Allocate for 7.0 if we want to break compat at that point.. > user => 'all', > }, > parameters => { > @@ -51,7 +51,7 @@ __PACKAGE__->register_method ({ > my $usercfg = $rpcenv->{user_cfg}; > > foreach my $pool (keys %{$usercfg->{pools}}) { > - next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1); > + next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Audit', 'VM.Allocate' ], 1); which means this has to be changed > > my $entry = { poolid => $pool }; > my $data = $usercfg->{pools}->{$pool}; > @@ -202,7 +202,7 @@ __PACKAGE__->register_method ({ > path => '{poolid}', > method => 'GET', > permissions => { > - check => ['perm', '/pool/{poolid}', ['Pool.Allocate']], > + check => ['perm', '/pool/{poolid}', ['Pool.Audit']], same here > }, > description => "Get pool configuration.", > parameters => { > -- > 2.20.1 > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-04-30 11:28 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-04-29 9:48 [pve-devel] SPAM: [PATCH-SERIES access-contorl/manager] fix #3402: add Pool.Audit permission Lorenz Stechauner 2021-04-29 9:48 ` [pve-devel] [PATCH access-control 1/1] " Lorenz Stechauner 2021-04-30 11:27 ` Fabian Grünbichler 2021-04-29 9:49 ` [pve-devel] [PATCH manager " Lorenz Stechauner 2021-04-30 11:27 ` Fabian Grünbichler
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox