From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] fix #5254: add separate Sys.AccessNetwork privilege
Date: Fri, 23 Feb 2024 11:21:08 +0100 [thread overview]
Message-ID: <1708683464.bi76ltgkfr.astroid@yuna.none> (raw)
In-Reply-To: <20240219171412.1576651-1-t.lamprecht@proxmox.com>
On February 19, 2024 6:14 pm, Thomas Lamprecht wrote:
> Adds a new Sys.AccessNetwork privilege that can be used to guard API
> endpoints that can do outgoing network requests with (some) user control
> over said requests, like e.g. the "download URL to storage" one.
>
> ## Backstory:
>
> This stems from an user request [0] w.r.t. the "download image through
> and URL directly to a storage" functionality and their use case of that
> through automation while wanting to adhere to the principle of least
> privilege.
>
> Because before this series the access to the required endpoints was
> guarded by the more powerful Sys.Modify and Sys.Audit privilege
> requirement on the / root ACL object path.
> So, if anybody wants to set up an API token so that automation can
> handle image downloads they'd need to give that API token very powerful
> permissions to make it work.
>
> A more specialized privilege seems warranted now, so add the
> Sys.AccessNetwork one and adapt the /nodes/{node}/query-url-metadata and
> the related /nodes/{node}/storage/{storage}/download-url API endpoints
> for now.
>
> ## Testing:
>
> Tested by creating a new custom role with the privileges
> `Datastore.Audit,Datastore.AllocateTemplate,Sys.AccessNetwork`, then
> created a user that gets a permission with above role for a specific
> node and a storage and then try querying and downloading an image, with
> and without this patch series applied.
>
> ## Future Work
>
> We could this even re-use for other endpoints, like adding storages that
> are accessed through the network, as that provides a (limited) side
> channel too.
for the whole series:
Reviewed-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
this seems like a sensible addition, and is hopefully neither to
specific nor too generic for future extensions.
while the dependencies are not "hard", it might still be a good idea to
bump the min versions to ensure no weird combination is moved along the
repositories (and also, it makes it easier to tell users which version
they need, since just looking at pve-manager or pve-storage depending on
the endpoint is needed).
next prev parent reply other threads:[~2024-02-23 10:21 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-19 17:14 Thomas Lamprecht
2024-02-19 17:14 ` [pve-devel] [PATCH access-control] add " Thomas Lamprecht
2024-02-19 17:14 ` [pve-devel] [PATCH storage:] fix #5254: api: allow usage of download-url with Sys.AccessNetwork Thomas Lamprecht
2024-02-19 17:14 ` [pve-devel] [PATCH manager 1/2] api: nodes: allow usage of query url metadata " Thomas Lamprecht
2024-02-19 17:14 ` [pve-devel] [PATCH manager 2/2] ui: storage: enable download-url button with Sys.AccessNetwork capability Thomas Lamprecht
2024-02-19 17:25 ` [pve-devel] fix #5254: add separate Sys.AccessNetwork privilege Thomas Lamprecht
2024-02-20 15:51 ` Hannes Dürr
2024-02-23 10:21 ` Fabian Grünbichler [this message]
2024-02-28 14:55 ` [pve-devel] applied-series: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1708683464.bi76ltgkfr.astroid@yuna.none \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox