From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Oguz Bektas <o.bektas@proxmox.com>, pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH v4 qemu-server 08/18] api: allow superusers to use 'skiplock' option
Date: Wed, 27 Jul 2022 11:07:15 +0200 [thread overview]
Message-ID: <1658910664.89576tpomn.astroid@nora.none> (raw)
In-Reply-To: <<20220602072450.55209-9-o.bektas@proxmox.com>
On June 2, 2022 9:24 am, Oguz Bektas wrote:
> also mark the intentionally root-only migration related options
> in param descriptions and leave a reminder comment.
how are these changes related? please split them up into two patches (or
merge the comment part into the other path that adds similar comments)
>
> Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> PVE/API2/Qemu.pm | 71 ++++++++++++++++++++++++++++++++----------------
> 1 file changed, 48 insertions(+), 23 deletions(-)
>
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index 2e75ab6..198e736 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -1337,8 +1337,8 @@ my $update_vm_api = sub {
> my $is_superuser = $rpcenv->check($authuser, "/vms/$vmid", ['SuperUser'], 1);
>
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> my $delete_str = extract_param($param, 'delete');
>
> @@ -1864,9 +1864,11 @@ __PACKAGE__->register_method({
> my $authuser = $rpcenv->get_user();
> my $vmid = $param->{vmid};
>
> + my $is_superuser = $rpcenv->check($authuser, "/vms/$vmid", ['SuperUser'], 1);
> +
> my $skiplock = $param->{skiplock};
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> my $early_checks = sub {
> # test if VM exists
> @@ -2474,25 +2476,27 @@ __PACKAGE__->register_method({
> migration_type => {
> type => 'string',
> enum => ['secure', 'insecure'],
> - description => "Migration traffic is encrypted using an SSH " .
> + description => "Migration-internal parameter. Migration traffic is encrypted using an SSH " .
> "tunnel by default. On secure, completely private networks " .
> "this can be disabled to increase performance.",
> optional => 1,
> },
> migration_network => {
> type => 'string', format => 'CIDR',
> - description => "CIDR of the (sub) network that is used for migration.",
> + description => "Migration-internal parameter. CIDR of the (sub)network " .
> + "that is used for migration.",
> optional => 1,
> },
> machine => get_standard_option('pve-qemu-machine'),
> 'force-cpu' => {
> - description => "Override QEMU's -cpu argument with the given string.",
> + description => "Migration-internal parameter. Override QEMU's" .
> + "-cpu argument with the given string.",
> type => 'string',
> optional => 1,
> },
> targetstorage => get_standard_option('pve-targetstorage'),
> timeout => {
> - description => "Wait maximal timeout seconds.",
> + description => "Migration-internal parameter. Wait maximal timeout seconds.",
> type => 'integer',
> minimum => 0,
> default => 'max(30, vm memory in GiB)',
> @@ -2514,6 +2518,14 @@ __PACKAGE__->register_method({
> my $timeout = extract_param($param, 'timeout');
> my $machine = extract_param($param, 'machine');
>
> + my $is_superuser = $rpcenv->check($authuser, "/vms/$vmid", ['SuperUser'], 1);
> +
> + my $skiplock = extract_param($param, 'skiplock');
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
> +
> + # since they are only used for migration-internal flows,
> + # these parameters are still intentionally limited to root@pam
> my $get_root_param = sub {
> my $value = extract_param($param, $_[0]);
> raise_param_exc({ "$_[0]" => "Only root may use this option." })
> @@ -2522,7 +2534,6 @@ __PACKAGE__->register_method({
> };
>
> my $stateuri = $get_root_param->('stateuri');
> - my $skiplock = $get_root_param->('skiplock');
> my $migratedfrom = $get_root_param->('migratedfrom');
> my $migration_type = $get_root_param->('migration_type');
> my $migration_network = $get_root_param->('migration_network');
> @@ -2662,9 +2673,11 @@ __PACKAGE__->register_method({
> my $node = extract_param($param, 'node');
> my $vmid = extract_param($param, 'vmid');
>
> + my $is_superuser = $rpcenv->check($authuser, "/vms/$vmid", ['SuperUser'], 1);
> +
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> my $keepActive = extract_param($param, 'keepActive');
> raise_param_exc({ keepActive => "Only root may use this option." })
> @@ -2739,9 +2752,11 @@ __PACKAGE__->register_method({
>
> my $vmid = extract_param($param, 'vmid');
>
> + my $is_superuser = $rpcenv->check($authuser, "/vms/$vmid", ['SuperUser'], 1);
> +
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> die "VM $vmid not running\n" if !PVE::QemuServer::check_running($vmid);
>
> @@ -2806,9 +2821,11 @@ __PACKAGE__->register_method({
> my $node = extract_param($param, 'node');
> my $vmid = extract_param($param, 'vmid');
>
> + my $is_superuser = $rpcenv->check($authuser, "/vms/$vmid", ['SuperUser'], 1);
> +
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> my $keepActive = extract_param($param, 'keepActive');
> raise_param_exc({ keepActive => "Only root may use this option." })
> @@ -2965,9 +2982,11 @@ __PACKAGE__->register_method({
>
> my $statestorage = extract_param($param, 'statestorage');
>
> + my $is_superuser = $rpcenv->check($authuser, "/vms/$vmid", ['SuperUser'], 1);
> +
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> die "VM $vmid not running\n" if !PVE::QemuServer::check_running($vmid);
>
> @@ -3037,9 +3056,11 @@ __PACKAGE__->register_method({
>
> my $vmid = extract_param($param, 'vmid');
>
> + my $is_superuser = $rpcenv->check($authuser, "/vms/$vmid", ['SuperUser'], 1);
> +
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> my $nocheck = extract_param($param, 'nocheck');
> raise_param_exc({ nocheck => "Only root may use this option." })
> @@ -3109,9 +3130,11 @@ __PACKAGE__->register_method({
>
> my $vmid = extract_param($param, 'vmid');
>
> + my $is_superuser = $rpcenv->check($authuser, "/vms/$vmid", ['SuperUser'], 1);
> +
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> PVE::QemuServer::vm_sendkey($vmid, $skiplock, $param->{key});
>
> @@ -4372,9 +4395,11 @@ __PACKAGE__->register_method({
>
> my $sizestr = extract_param($param, 'size');
>
> + my $is_superuser = $rpcenv->check($authuser, "/vms/$vmid", ['SuperUser'], 1);
> +
> my $skiplock = extract_param($param, 'skiplock');
> - raise_param_exc({ skiplock => "Only root may use this option." })
> - if $skiplock && $authuser ne 'root@pam';
> + raise_param_exc({ skiplock => "Only superusers may use this option." })
> + if $skiplock && !$is_superuser;
>
> my $storecfg = PVE::Storage::config();
>
> --
> 2.30.2
>
>
next prev parent reply other threads:[~2022-07-27 9:07 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-02 7:24 [pve-devel] [PATCH v4 access-control++ 00/18] SuperUser privilege Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 access-control 01/18] add "SuperAdministrator" role with the new "SuperUser" privilege Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 access-control 02/18] RPC env: add SuperUser API permission for GUI capabilities Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 access-control 03/18] api: acl: only allow granting SU privilege if user already has it Oguz Bektas
[not found] ` <<20220602072450.55209-4-o.bektas@proxmox.com>
2022-07-27 9:06 ` Fabian Grünbichler
2022-06-02 7:24 ` [pve-devel] [PATCH v4 access-control 04/18] api: roles: only allow modifying roles to add/remove SU if user has SU themselves Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 access-control 05/18] api: allow superusers to edit tfa and password settings Oguz Bektas
[not found] ` <<20220602072450.55209-6-o.bektas@proxmox.com>
2022-07-27 9:06 ` Fabian Grünbichler
2022-06-02 7:24 ` [pve-devel] [PATCH v4 qemu-server 06/18] api: allow SU privileged users to edit root-only options for VM configs Oguz Bektas
[not found] ` <<20220602072450.55209-7-o.bektas@proxmox.com>
2022-07-27 9:06 ` Fabian Grünbichler
2022-06-02 7:24 ` [pve-devel] [PATCH v4 qemu-server 07/18] migration tests: mock $rpcenv->check subroutine Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 qemu-server 08/18] api: allow superusers to use 'skiplock' option Oguz Bektas
[not found] ` <<20220602072450.55209-9-o.bektas@proxmox.com>
2022-07-27 9:07 ` Fabian Grünbichler [this message]
2022-06-02 7:24 ` [pve-devel] [PATCH v4 qemu-server 09/18] parse_backup_hints: add comment for root shortcut and fix typos Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 manager 10/18] api: backup: allow SUs to use 'tmpdir', 'dumpdir' and 'script' options Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 manager 11/18] api: vzdump: allow SUs to use 'bwlimit' and 'ionice' parameters Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 manager 12/18] api: always drop to login prompt for non-root users on terminal proxy calls Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 manager 13/18] ui: include "SuperUser" in privilege selector Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 manager 14/18] ui: lxc features: check for SU instead of 'root@pam' Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 manager 15/18] ui: adapt sensible 'root@pam' checks to SU Oguz Bektas
[not found] ` <<20220602072450.55209-16-o.bektas@proxmox.com>
2022-07-27 9:07 ` Fabian Grünbichler
2022-06-02 7:24 ` [pve-devel] [PATCH v4 container 16/18] fix #2582: api: add checks for 'SuperUser' privilege for root-only options Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 storage 17/18] check_volume_access: allow superusers to pass arbitrary fs paths Oguz Bektas
2022-06-02 7:24 ` [pve-devel] [PATCH v4 docs 18/18] pveum: add SU privilege and SA role Oguz Bektas
[not found] ` <<20220602072450.55209-19-o.bektas@proxmox.com>
2022-07-27 9:08 ` Fabian Grünbichler
[not found] ` <<20220602072450.55209-1-o.bektas@proxmox.com>
2022-07-27 9:10 ` [pve-devel] [PATCH v4 access-control++ 00/18] SuperUser privilege Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1658910664.89576tpomn.astroid@nora.none \
--to=f.gruenbichler@proxmox.com \
--cc=o.bektas@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox