public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] SPAM: [PATCH-SERIES access-contorl/manager] fix #3402: add Pool.Audit permission
@ 2021-04-29  9:48 Lorenz Stechauner
  2021-04-29  9:48 ` [pve-devel] [PATCH access-control 1/1] " Lorenz Stechauner
  2021-04-29  9:49 ` [pve-devel] [PATCH manager " Lorenz Stechauner
  0 siblings, 2 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-04-29  9:48 UTC (permalink / raw)
  To: pve-devel

Lorenz Stechauner (2):
  fix #3402: add Pool.Audit permission

 PVE/API2/Cluster.pm | 2 +-
 PVE/API2/Pool.pm    | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
 
  fix #3402: add Pool.Audit permission

 PVE/AccessControl.pm | 8 ++++++--
 README               | 1 +
 2 files changed, 7 insertions(+), 2 deletions(-)

-- 
2.20.1




^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH access-control 1/1] fix #3402: add Pool.Audit permission
  2021-04-29  9:48 [pve-devel] SPAM: [PATCH-SERIES access-contorl/manager] fix #3402: add Pool.Audit permission Lorenz Stechauner
@ 2021-04-29  9:48 ` Lorenz Stechauner
  2021-04-30 11:27   ` Fabian Grünbichler
  2021-04-29  9:49 ` [pve-devel] [PATCH manager " Lorenz Stechauner
  1 sibling, 1 reply; 5+ messages in thread
From: Lorenz Stechauner @ 2021-04-29  9:48 UTC (permalink / raw)
  To: pve-devel

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
 PVE/AccessControl.pm | 8 ++++++--
 README               | 1 +
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index f7d4e78..888875e 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -819,8 +819,12 @@ my $privgroups = {
 	admin => [
 	    'Pool.Allocate', # create/delete pools
 	],
-	user => [],
-	audit => [],
+	user => [
+	    'Pool.Audit',
+	],
+	audit => [
+	    'Pool.Audit',
+	],
     },
 };
 
diff --git a/README b/README
index 33643a6..698b7a8 100644
--- a/README
+++ b/README
@@ -96,6 +96,7 @@ privileges:
 	  VM.Config.Options: modify any other VM configuration 
 
 	Pool.Allocate: create/remove/modify a pool.
+	Pool.Audit: view/browse pool
 
 	Datastore.Allocate: create/remove/modify a data store.
 	Datastore.AllocateSpace: allocate space on a datastore
-- 
2.20.1




^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH manager 1/1] fix #3402: add Pool.Audit permission
  2021-04-29  9:48 [pve-devel] SPAM: [PATCH-SERIES access-contorl/manager] fix #3402: add Pool.Audit permission Lorenz Stechauner
  2021-04-29  9:48 ` [pve-devel] [PATCH access-control 1/1] " Lorenz Stechauner
@ 2021-04-29  9:49 ` Lorenz Stechauner
  2021-04-30 11:27   ` Fabian Grünbichler
  1 sibling, 1 reply; 5+ messages in thread
From: Lorenz Stechauner @ 2021-04-29  9:49 UTC (permalink / raw)
  To: pve-devel

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
 PVE/API2/Cluster.pm | 2 +-
 PVE/API2/Pool.pm    | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
index ab5b28a1..ace5b5b1 100644
--- a/PVE/API2/Cluster.pm
+++ b/PVE/API2/Cluster.pm
@@ -332,7 +332,7 @@ __PACKAGE__->register_method({
 	    for my $pool (sort keys %{$usercfg->{pools}}) {
 		my $d = $usercfg->{pools}->{$pool};
 
-		next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
+		next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
 
 		my $entry = {
 		    id => "/pool/$pool",
diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm
index 567c7e8d..6ef981fb 100644
--- a/PVE/API2/Pool.pm
+++ b/PVE/API2/Pool.pm
@@ -23,7 +23,7 @@ __PACKAGE__->register_method ({
     method => 'GET',
     description => "Pool index.",
     permissions => { 
-	description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.",
+	description => "List all pools where you have Pool.Audit or VM.Allocate permissions on /pool/<pool>.",
 	user => 'all',
     },
     parameters => {
@@ -51,7 +51,7 @@ __PACKAGE__->register_method ({
 	my $usercfg = $rpcenv->{user_cfg};
 
 	foreach my $pool (keys %{$usercfg->{pools}}) {
-	    next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1);
+	    next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Audit', 'VM.Allocate' ], 1);
 
 	    my $entry = { poolid => $pool };
 	    my $data = $usercfg->{pools}->{$pool};
@@ -202,7 +202,7 @@ __PACKAGE__->register_method ({
     path => '{poolid}', 
     method => 'GET',
     permissions => { 
-	check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
+	check => ['perm', '/pool/{poolid}', ['Pool.Audit']],
     },
     description => "Get pool configuration.",
     parameters => {
-- 
2.20.1




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [pve-devel] [PATCH access-control 1/1] fix #3402: add Pool.Audit permission
  2021-04-29  9:48 ` [pve-devel] [PATCH access-control 1/1] " Lorenz Stechauner
@ 2021-04-30 11:27   ` Fabian Grünbichler
  0 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2021-04-30 11:27 UTC (permalink / raw)
  To: Proxmox VE development discussion

On April 29, 2021 11:48 am, Lorenz Stechauner wrote:
> Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
> ---
>  PVE/AccessControl.pm | 8 ++++++--
>  README               | 1 +
>  2 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
> index f7d4e78..888875e 100644
> --- a/PVE/AccessControl.pm
> +++ b/PVE/AccessControl.pm
> @@ -819,8 +819,12 @@ my $privgroups = {
>  	admin => [
>  	    'Pool.Allocate', # create/delete pools
>  	],
> -	user => [],
> -	audit => [],
> +	user => [
> +	    'Pool.Audit',
> +	],

this hunk actually causes a new built-in "PVEUser" role to be defined..

I am not sure whether it's worth it (probably PVEAuditor already serves 
that niche for almost all use-cases). but if we include it, then this 
requires a pve-docs patch as well ;) users might also already have a 
custom role named like that, so potentially defer to 7.0 as breaking 
change?

> +	audit => [
> +	    'Pool.Audit',
> +	],
>      },
>  };
>  
> diff --git a/README b/README
> index 33643a6..698b7a8 100644
> --- a/README
> +++ b/README
> @@ -96,6 +96,7 @@ privileges:
>  	  VM.Config.Options: modify any other VM configuration 
>  
>  	Pool.Allocate: create/remove/modify a pool.
> +	Pool.Audit: view/browse pool
>  
>  	Datastore.Allocate: create/remove/modify a data store.
>  	Datastore.AllocateSpace: allocate space on a datastore
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [pve-devel] [PATCH manager 1/1] fix #3402: add Pool.Audit permission
  2021-04-29  9:49 ` [pve-devel] [PATCH manager " Lorenz Stechauner
@ 2021-04-30 11:27   ` Fabian Grünbichler
  0 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2021-04-30 11:27 UTC (permalink / raw)
  To: Proxmox VE development discussion

On April 29, 2021 11:49 am, Lorenz Stechauner wrote:
> Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
> ---
>  PVE/API2/Cluster.pm | 2 +-
>  PVE/API2/Pool.pm    | 6 +++---
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
> index ab5b28a1..ace5b5b1 100644
> --- a/PVE/API2/Cluster.pm
> +++ b/PVE/API2/Cluster.pm
> @@ -332,7 +332,7 @@ __PACKAGE__->register_method({
>  	    for my $pool (sort keys %{$usercfg->{pools}}) {
>  		my $d = $usercfg->{pools}->{$pool};
>  
> -		next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
> +		next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
>  
>  		my $entry = {
>  		    id => "/pool/$pool",
> diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm
> index 567c7e8d..6ef981fb 100644
> --- a/PVE/API2/Pool.pm
> +++ b/PVE/API2/Pool.pm
> @@ -23,7 +23,7 @@ __PACKAGE__->register_method ({
>      method => 'GET',
>      description => "Pool index.",
>      permissions => { 
> -	description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.",
> +	description => "List all pools where you have Pool.Audit or VM.Allocate permissions on /pool/<pool>.",

for backwards-compat we need to still accept Pool.Allocate as well 

there might be custom roles out there that have Pool.Allocate, those 
would now not be able to see their pool anymore unless they happen to 
have VM.Allocate on that pool as well which is not a given.

we could drop Pool.Allocate for 7.0 if we want to break compat at that 
point..

>  	user => 'all',
>      },
>      parameters => {
> @@ -51,7 +51,7 @@ __PACKAGE__->register_method ({
>  	my $usercfg = $rpcenv->{user_cfg};
>  
>  	foreach my $pool (keys %{$usercfg->{pools}}) {
> -	    next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1);
> +	    next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Audit', 'VM.Allocate' ], 1);

which means this has to be changed

>  
>  	    my $entry = { poolid => $pool };
>  	    my $data = $usercfg->{pools}->{$pool};
> @@ -202,7 +202,7 @@ __PACKAGE__->register_method ({
>      path => '{poolid}', 
>      method => 'GET',
>      permissions => { 
> -	check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
> +	check => ['perm', '/pool/{poolid}', ['Pool.Audit']],

same here

>      },
>      description => "Get pool configuration.",
>      parameters => {
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 




^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-04-30 11:28 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-29  9:48 [pve-devel] SPAM: [PATCH-SERIES access-contorl/manager] fix #3402: add Pool.Audit permission Lorenz Stechauner
2021-04-29  9:48 ` [pve-devel] [PATCH access-control 1/1] " Lorenz Stechauner
2021-04-30 11:27   ` Fabian Grünbichler
2021-04-29  9:49 ` [pve-devel] [PATCH manager " Lorenz Stechauner
2021-04-30 11:27   ` Fabian Grünbichler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal