From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH access-control v4 2/6] added acls for Shared Files Directories
Date: Thu, 04 May 2023 10:24:38 +0200 [thread overview]
Message-ID: <1683187127.i3oot16wx3.astroid@yuna.none> (raw)
In-Reply-To: <20230425102136.85334-3-m.frank@proxmox.com>
On April 25, 2023 12:21 pm, Markus Frank wrote:
> Signed-off-by: Markus Frank <m.frank@proxmox.com>
> ---
> src/PVE/API2/Directory.pm | 68 +++++++++++++++++++++++++++++++++++++++
this parts seems to be included by accident? ;)
> src/PVE/AccessControl.pm | 16 +++++++++
> src/PVE/RPCEnvironment.pm | 12 ++++++-
> 3 files changed, 95 insertions(+), 1 deletion(-)
> create mode 100644 src/PVE/API2/Directory.pm
>
> diff --git a/src/PVE/API2/Directory.pm b/src/PVE/API2/Directory.pm
> new file mode 100644
> index 0000000..b44ba9d
> --- /dev/null
> +++ b/src/PVE/API2/Directory.pm
> @@ -0,0 +1,68 @@
> +package PVE::API2::Directory;
> +
> +use strict;
> +use warnings;
> +
> +use PVE::Exception qw(raise raise_perm_exc raise_param_exc);
> +use PVE::Cluster qw (cfs_read_file cfs_write_file);
> +use PVE::Tools qw(split_list extract_param);
> +use PVE::JSONSchema qw(get_standard_option register_standard_option);
> +use PVE::SafeSyslog;
> +
> +use PVE::AccessControl;
> +use PVE::Auth::Plugin;
> +use PVE::TokenConfig;
> +
> +use PVE::RESTHandler;
> +use PVE::DirConfig;
> +
> +use base qw(PVE::RESTHandler);
> +
> +__PACKAGE__->register_method ({
> + name => 'index',
> + path => '',
> + method => 'GET',
> + description => "simple return value of parameter 'text'",
> + parameters => {
> + additionalProperties => 0,
> + properties => {
> + node => {
> + type => 'string',
> + }
> + },
> + },
> + returns => {
> + type => 'string',
> + },
> + code => sub {
> + my ($param) = @_;
> + return $param->{node};
> + }
> +});
> +
> +
> +__PACKAGE__->register_method ({
> + name => 'add_dir',
> + path => 'add',
> + method => 'POST',
> + description => "simple return value of parameter 'text'",
> + parameters => {
> + additionalProperties => 0,
> + properties => {
> + directory => {
> + type => 'string',
> + },
> + node => {
> + type => 'string',
> + }
> + },
> + },
> + returns => {
> + type => 'string',
> + },
> + code => sub {
> + my ($param) = @_;
> +
> + return $param->{node};
> + }
> +});
> diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
> index 5690a1f..6530753 100644
> --- a/src/PVE/AccessControl.pm
> +++ b/src/PVE/AccessControl.pm
> @@ -1133,6 +1133,18 @@ my $privgroups = {
> 'Pool.Audit',
> ],
> },
> + Map => {
> + root => [],
> + admin => [
> + 'Map.Modify',
> + ],
> + user => [
> + 'Map.Use',
> + ],
> + audit => [
> + 'Map.Audit',
> + ],
> + },
the priv names need coordination with Dominik, we definitely don't want
two sets!
> };
>
> my $valid_privs = {};
> @@ -1166,6 +1178,8 @@ sub create_roles {
> }
>
> $special_roles->{"PVETemplateUser"} = { 'VM.Clone' => 1, 'VM.Audit' => 1 };
> +
> + delete($special_roles->{"PVEAdmin"}->{'Map.Modify'});
this is something were Dominik had some ideas as well IIRC ;)
> };
>
> create_roles();
> @@ -1262,6 +1276,8 @@ sub check_path {
> |/storage/[[:alnum:]\.\-\_]+
> |/vms
> |/vms/[1-9][0-9]{2,}
> + |/map/dirs
> + |/map/dirs/[[:alnum:]\.\-\_]+
> )$!xs;
> }
>
> diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
> index 8586938..42ff287 100644
> --- a/src/PVE/RPCEnvironment.pm
> +++ b/src/PVE/RPCEnvironment.pm
> @@ -187,10 +187,11 @@ sub compute_api_permission {
> nodes => qr/Sys\.|Permissions\.Modify/,
> sdn => qr/SDN\.|Permissions\.Modify/,
> dc => qr/Sys\.Audit|SDN\./,
> + map => qr/Map\.Modify/
why Modify? I think Map. and Permissions.Modify would make more sense?
> };
> map { $res->{$_} = {} } keys %$priv_re_map;
>
> - my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', '/sdn'];
> + my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', '/sdn', '/map'];
> my $defined_paths = [];
> PVE::AccessControl::iterate_acl_tree("/", $usercfg->{acl_root}, sub {
> my ($path, $node) = @_;
> @@ -245,6 +246,7 @@ sub get_effective_permissions {
> '/sdn' => 1,
> '/storage' => 1,
> '/vms' => 1,
> + '/map' => 1,
> };
>
> my $cfg = $self->{user_cfg};
> @@ -361,6 +363,14 @@ sub check_vm_perm {
> return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr);
> };
>
> +sub check_dir_perm {
> + my ($self, $user, $dirid, $privs, $any, $noerr) = @_;
> +
> + my $cfg = $self->{user_cfg};
> +
> + return $self->check_full($user, "/map/dirs/$dirid", $privs, $any, $noerr);
> +};
I don't think this helper brings anything to the table? check_vm_perm is
special in that it handles pools, and we want that in a single place,
but this is just hardcoding the ACL prefix?
> +
> sub is_group_member {
> my ($self, $group, $user) = @_;
>
> --
> 2.30.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
next prev parent reply other threads:[~2023-05-04 8:25 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-25 10:21 [pve-devel] [PATCH docs v4 0/6] feature #1027 virtio-9p/virtio-fs Markus Frank
2023-04-25 10:21 ` [pve-devel] [PATCH docs v4 1/6] added shared filesystem doc for virtio-fs & virtio-9p Markus Frank
2023-04-25 10:21 ` [pve-devel] [PATCH access-control v4 2/6] added acls for Shared Files Directories Markus Frank
2023-05-04 8:24 ` Fabian Grünbichler [this message]
2023-04-25 10:21 ` [pve-devel] [PATCH manager v4 3/6] added Config for Shared Filesystem Directories Markus Frank
2023-05-03 11:26 ` Dominik Csapak
2023-05-04 8:13 ` Thomas Lamprecht
2023-05-04 8:31 ` Dominik Csapak
2023-05-04 8:42 ` Thomas Lamprecht
2023-05-04 8:57 ` Dominik Csapak
2023-05-04 10:21 ` Thomas Lamprecht
2023-05-09 9:31 ` Dominik Csapak
2023-05-04 8:24 ` Fabian Grünbichler
2023-04-25 10:21 ` [pve-devel] [PATCH manager v4 4/6] added Shared Files tab in Node Settings Markus Frank
2023-04-25 10:21 ` [pve-devel] [PATCH manager v4 5/6] added options to add virtio-9p & virtio-fs Shared Filesystems to qemu config Markus Frank
2023-04-25 10:21 ` [pve-devel] [PATCH qemu-server v4 6/6] feature #1027: virtio-9p & virtio-fs support Markus Frank
2023-05-04 8:39 ` Fabian Grünbichler
2023-05-05 8:27 ` Markus Frank
2023-05-04 8:24 ` [pve-devel] [PATCH docs v4 0/6] feature #1027 virtio-9p/virtio-fs Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1683187127.i3oot16wx3.astroid@yuna.none \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox