From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 2ED898DA8B for ; Wed, 9 Nov 2022 13:06:10 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0978E1BDDF for ; Wed, 9 Nov 2022 13:05:40 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 9 Nov 2022 13:05:39 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 14A4F422FF for ; Wed, 9 Nov 2022 13:05:39 +0100 (CET) Date: Wed, 09 Nov 2022 13:05:32 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20220920125041.3636561-1-d.csapak@proxmox.com> <20220920125041.3636561-7-d.csapak@proxmox.com> In-Reply-To: <20220920125041.3636561-7-d.csapak@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid) Message-Id: <1667994471.zlbn23bpo0.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.091 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [rpcenvironment.pm, accesscontrol.pm] Subject: Re: [pve-devel] [PATCH access-control v3 1/1] PVE/AccessControl: add Hardware.* privileges and /hardware/ paths X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Nov 2022 12:06:10 -0000 On September 20, 2022 2:50 pm, Dominik Csapak wrote: > so that we can assign privileges on hardware level >=20 > this will generate a new role (PVEHardwareAdmin) >=20 > Signed-off-by: Dominik Csapak > --- > src/PVE/AccessControl.pm | 13 +++++++++++++ > src/PVE/RPCEnvironment.pm | 3 ++- > 2 files changed, 15 insertions(+), 1 deletion(-) >=20 > diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm > index c32dcc3..9cbc376 100644 > --- a/src/PVE/AccessControl.pm > +++ b/src/PVE/AccessControl.pm > @@ -1080,6 +1080,17 @@ my $privgroups =3D { > 'Pool.Audit', > ], > }, > + Hardware =3D> { > + root =3D> [ > + 'Hardware.Configure', # create/edit mappings > + ], > + admin =3D> [ > + 'Hardware.Use', > + ], > + audit =3D> [ > + 'Hardware.Audit', > + ], > + }, I guess the rationale here was that currently hardware is root only, so hav= ing admin =3D> Configure, user =3D> Use, audit =3D> Audit, would mean the existing PVEAdmin roles would gain something that was previo= usly root only?=20 note that the current patch still means that for the "Administrator" role anyway, since that gets *all* defined privileges.. (which might also be something worthy of calling out somewhere?) it still might make sense to put Hardware.Use into the user category for consistency's sake? also not sure whether it would be worth it to re-think "Configure" (a bit more explicit) vs. "Modify" (consistent with existing schema).. > }; > =20 > my $valid_privs =3D {}; > @@ -1209,6 +1220,8 @@ sub check_path { > |/storage/[[:alnum:]\.\-\_]+ > |/vms > |/vms/[1-9][0-9]{2,} > + |/hardware > + |/hardware/[[:alnum:]\.\-\_]+ > )$!xs; > } > =20 > diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm > index 0ee2346..bcf911b 100644 > --- a/src/PVE/RPCEnvironment.pm > +++ b/src/PVE/RPCEnvironment.pm > @@ -187,10 +187,11 @@ sub compute_api_permission { > nodes =3D> qr/Sys\.|Permissions\.Modify/, > sdn =3D> qr/SDN\.|Permissions\.Modify/, > dc =3D> qr/Sys\.Audit|SDN\./, > + hardware =3D> qr/Hardware\.|Permissiions\.Modify/, typo "Permissiions" > }; > map { $res->{$_} =3D {} } keys %$priv_re_map; > =20 > - my $required_paths =3D ['/', '/nodes', '/access/groups', '/vms', '/s= torage', '/sdn']; > + my $required_paths =3D ['/', '/nodes', '/access/groups', '/vms', '/s= torage', '/sdn', '/hardware']; > =20 > my $checked_paths =3D {}; > foreach my $path (@$required_paths, keys %{$usercfg->{acl}}) { > --=20 > 2.30.2