* [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission
@ 2021-05-20 10:03 Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw)
To: pve-devel
Note: compat breaking changes for Pool.Allocate permission
changes to v1:
* docs patch now included
* `/cluster/resources` now returns pool infomation for guests only if
the requesting user has the Pool.Audit permission on the pool
pve-manager:
Lorenz Stechauner (1):
fix #3402: add Pool.Audit permission
PVE/API2/Cluster.pm | 7 ++++++-
PVE/API2/Pool.pm | 7 ++++---
PVE/API2/VZDump.pm | 2 +-
3 files changed, 11 insertions(+), 5 deletions(-)
pve-access-control:
Lorenz Stechauner (1):
fix #3402: add Pool.Audit permission
README | 1 +
src/PVE/AccessControl.pm | 8 ++++++--
2 files changed, 7 insertions(+), 2 deletions(-)
pve-docs:
Lorenz Stechauner (1):
fix #3202: pveum: add Pool.Audit permission
pveum.adoc | 1 +
1 file changed, 1 insertion(+)
--
2.20.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH v2 access-control 1/1] fix #3402: add Pool.Audit permission
2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
@ 2021-05-20 10:03 ` Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 manager " Lorenz Stechauner
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw)
To: pve-devel
add new user "PVEPoolUser" and add Pool.Audit to "PVEAuditor".
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
README | 1 +
src/PVE/AccessControl.pm | 8 ++++++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/README b/README
index 33643a6..c706e5b 100644
--- a/README
+++ b/README
@@ -96,6 +96,7 @@ privileges:
VM.Config.Options: modify any other VM configuration
Pool.Allocate: create/remove/modify a pool.
+ Pool.Audit: view a pool
Datastore.Allocate: create/remove/modify a data store.
Datastore.AllocateSpace: allocate space on a datastore
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index f7d4e78..888875e 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -819,8 +819,12 @@ my $privgroups = {
admin => [
'Pool.Allocate', # create/delete pools
],
- user => [],
- audit => [],
+ user => [
+ 'Pool.Audit',
+ ],
+ audit => [
+ 'Pool.Audit',
+ ],
},
};
--
2.20.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH v2 manager 1/1] fix #3402: add Pool.Audit permission
2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner
@ 2021-05-20 10:03 ` Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: " Lorenz Stechauner
2021-06-01 9:06 ` [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: " Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw)
To: pve-devel
everywhere where Pool.Allocate was unnecessarly used it was replaced
with Pool.Audit.
`/cluster/resources` now returns pool infomation for guests only if
the requesting user has the Pool.Audit permission on the pool.
`/pool/` now returns only pools where the requesting user has the
Pool.Audit permission.
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
PVE/API2/Cluster.pm | 7 ++++++-
PVE/API2/Pool.pm | 7 ++++---
PVE/API2/VZDump.pm | 2 +-
3 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
index ab5b28a1..641b846d 100644
--- a/PVE/API2/Cluster.pm
+++ b/PVE/API2/Cluster.pm
@@ -332,7 +332,7 @@ __PACKAGE__->register_method({
for my $pool (sort keys %{$usercfg->{pools}}) {
my $d = $usercfg->{pools}->{$pool};
- next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
+ next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
my $entry = {
id => "/pool/$pool",
@@ -384,6 +384,11 @@ __PACKAGE__->register_method({
$entry->{lock} = $lock;
}
+ if (defined($entry->{pool}) &&
+ !$rpcenv->check($authuser, "/pool/$entry->{pool}", ['Pool.Audit'], 1)) {
+ delete $entry->{pool};
+ }
+
# get ha status
if (my $hatype = $hatypemap->{$entry->{type}}) {
my $sid = "$hatype:$vmid";
diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm
index 43375b02..28c29ab8 100644
--- a/PVE/API2/Pool.pm
+++ b/PVE/API2/Pool.pm
@@ -22,7 +22,7 @@ __PACKAGE__->register_method ({
method => 'GET',
description => "Pool index.",
permissions => {
- description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.",
+ description => "List all pools where you have Pool.Audit permissions on /pool/<pool>.",
user => 'all',
},
parameters => {
@@ -47,9 +47,10 @@ __PACKAGE__->register_method ({
my $usercfg = $rpcenv->{user_cfg};
+
my $res = [];
for my $pool (sort keys %{$usercfg->{pools}}) {
- next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1);
+ next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
my $entry = { poolid => $pool };
my $pool_config = $usercfg->{pools}->{$pool};
@@ -200,7 +201,7 @@ __PACKAGE__->register_method ({
path => '{poolid}',
method => 'GET',
permissions => {
- check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
+ check => ['perm', '/pool/{poolid}', ['Pool.Audit']],
},
description => "Get pool configuration.",
parameters => {
diff --git a/PVE/API2/VZDump.pm b/PVE/API2/VZDump.pm
index 82dd9415..4093d82f 100644
--- a/PVE/API2/VZDump.pm
+++ b/PVE/API2/VZDump.pm
@@ -226,7 +226,7 @@ __PACKAGE__->register_method ({
my $pool = $res->{pool};
if (defined($pool) &&
- !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Allocate'], 1)) {
+ !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Audit'], 1)) {
delete $res->{pool};
}
--
2.20.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: add Pool.Audit permission
2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 manager " Lorenz Stechauner
@ 2021-05-20 10:03 ` Lorenz Stechauner
2021-06-01 9:06 ` [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: " Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
pveum.adoc | 1 +
1 file changed, 1 insertion(+)
diff --git a/pveum.adoc b/pveum.adoc
index 7120db7..71ea7ef 100644
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -449,6 +449,7 @@ Node / System related privileges::
* `Sys.Modify`: create/remove/modify node network parameters
* `Group.Allocate`: create/remove/modify groups
* `Pool.Allocate`: create/remove/modify a pool
+* `Pool.Audit`: view a pool
* `Realm.Allocate`: create/remove/modify authentication realms
* `Realm.AllocateUser`: assign user to a realm
* `User.Modify`: create/remove/modify user access and details.
--
2.20.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission
2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
` (2 preceding siblings ...)
2021-05-20 10:03 ` [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: " Lorenz Stechauner
@ 2021-06-01 9:06 ` Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2021-06-01 9:06 UTC (permalink / raw)
To: Proxmox VE development discussion
On May 20, 2021 12:03 pm, Lorenz Stechauner wrote:
> Note: compat breaking changes for Pool.Allocate permission
>
> changes to v1:
> * docs patch now included
> * `/cluster/resources` now returns pool infomation for guests only if
> the requesting user has the Pool.Audit permission on the pool
>
>
>
> pve-manager:
>
> Lorenz Stechauner (1):
> fix #3402: add Pool.Audit permission
>
> PVE/API2/Cluster.pm | 7 ++++++-
> PVE/API2/Pool.pm | 7 ++++---
> PVE/API2/VZDump.pm | 2 +-
> 3 files changed, 11 insertions(+), 5 deletions(-)
>
>
> pve-access-control:
>
> Lorenz Stechauner (1):
> fix #3402: add Pool.Audit permission
>
> README | 1 +
> src/PVE/AccessControl.pm | 8 ++++++--
> 2 files changed, 7 insertions(+), 2 deletions(-)
>
>
> pve-docs:
>
> Lorenz Stechauner (1):
> fix #3202: pveum: add Pool.Audit permission
>
> pveum.adoc | 1 +
> 1 file changed, 1 insertion(+)
> --
> 2.20.1
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-06-01 9:06 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 manager " Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: " Lorenz Stechauner
2021-06-01 9:06 ` [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: " Fabian Grünbichler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox