public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission
@ 2021-05-20 10:03 Lorenz Stechauner
  2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw)
  To: pve-devel

Note: compat breaking changes for Pool.Allocate permission

changes to v1:
* docs patch now included
* `/cluster/resources` now returns pool infomation for guests only if
    the requesting user has the Pool.Audit permission on the pool



pve-manager:

Lorenz Stechauner (1):
  fix #3402: add Pool.Audit permission

 PVE/API2/Cluster.pm | 7 ++++++-
 PVE/API2/Pool.pm    | 7 ++++---
 PVE/API2/VZDump.pm  | 2 +-
 3 files changed, 11 insertions(+), 5 deletions(-)


pve-access-control:

Lorenz Stechauner (1):
  fix #3402: add Pool.Audit permission

 README                   | 1 +
 src/PVE/AccessControl.pm | 8 ++++++--
 2 files changed, 7 insertions(+), 2 deletions(-)


pve-docs:

Lorenz Stechauner (1):
  fix #3202: pveum: add Pool.Audit permission

 pveum.adoc | 1 +
 1 file changed, 1 insertion(+)
-- 
2.20.1





^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH v2 access-control 1/1] fix #3402: add Pool.Audit permission
  2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
@ 2021-05-20 10:03 ` Lorenz Stechauner
  2021-05-20 10:03 ` [pve-devel] [PATCH v2 manager " Lorenz Stechauner
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw)
  To: pve-devel

add new user "PVEPoolUser" and add Pool.Audit to "PVEAuditor".

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
 README                   | 1 +
 src/PVE/AccessControl.pm | 8 ++++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/README b/README
index 33643a6..c706e5b 100644
--- a/README
+++ b/README
@@ -96,6 +96,7 @@ privileges:
 	  VM.Config.Options: modify any other VM configuration 
 
 	Pool.Allocate: create/remove/modify a pool.
+	Pool.Audit: view a pool
 
 	Datastore.Allocate: create/remove/modify a data store.
 	Datastore.AllocateSpace: allocate space on a datastore
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index f7d4e78..888875e 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -819,8 +819,12 @@ my $privgroups = {
 	admin => [
 	    'Pool.Allocate', # create/delete pools
 	],
-	user => [],
-	audit => [],
+	user => [
+	    'Pool.Audit',
+	],
+	audit => [
+	    'Pool.Audit',
+	],
     },
 };
 
-- 
2.20.1





^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH v2 manager 1/1] fix #3402: add Pool.Audit permission
  2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
  2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner
@ 2021-05-20 10:03 ` Lorenz Stechauner
  2021-05-20 10:03 ` [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: " Lorenz Stechauner
  2021-06-01  9:06 ` [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: " Fabian Grünbichler
  3 siblings, 0 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw)
  To: pve-devel

everywhere where Pool.Allocate was unnecessarly used it was replaced
with Pool.Audit.

`/cluster/resources` now returns pool infomation for guests only if
the requesting user has the Pool.Audit permission on the pool.

`/pool/` now returns only pools where the requesting user has the
Pool.Audit permission.

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
 PVE/API2/Cluster.pm | 7 ++++++-
 PVE/API2/Pool.pm    | 7 ++++---
 PVE/API2/VZDump.pm  | 2 +-
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
index ab5b28a1..641b846d 100644
--- a/PVE/API2/Cluster.pm
+++ b/PVE/API2/Cluster.pm
@@ -332,7 +332,7 @@ __PACKAGE__->register_method({
 	    for my $pool (sort keys %{$usercfg->{pools}}) {
 		my $d = $usercfg->{pools}->{$pool};
 
-		next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
+		next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
 
 		my $entry = {
 		    id => "/pool/$pool",
@@ -384,6 +384,11 @@ __PACKAGE__->register_method({
 		    $entry->{lock} = $lock;
 		}
 
+		if (defined($entry->{pool}) &&
+		    !$rpcenv->check($authuser, "/pool/$entry->{pool}", ['Pool.Audit'], 1)) {
+		    delete $entry->{pool};
+		}
+
 		# get ha status
 		if (my $hatype = $hatypemap->{$entry->{type}}) {
 		    my $sid = "$hatype:$vmid";
diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm
index 43375b02..28c29ab8 100644
--- a/PVE/API2/Pool.pm
+++ b/PVE/API2/Pool.pm
@@ -22,7 +22,7 @@ __PACKAGE__->register_method ({
     method => 'GET',
     description => "Pool index.",
     permissions => {
-	description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.",
+	description => "List all pools where you have Pool.Audit permissions on /pool/<pool>.",
 	user => 'all',
     },
     parameters => {
@@ -47,9 +47,10 @@ __PACKAGE__->register_method ({
 
 	my $usercfg = $rpcenv->{user_cfg};
 
+
 	my $res = [];
 	for my $pool (sort keys %{$usercfg->{pools}}) {
-	    next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1);
+	    next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
 
 	    my $entry = { poolid => $pool };
 	    my $pool_config = $usercfg->{pools}->{$pool};
@@ -200,7 +201,7 @@ __PACKAGE__->register_method ({
     path => '{poolid}',
     method => 'GET',
     permissions => {
-	check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
+	check => ['perm', '/pool/{poolid}', ['Pool.Audit']],
     },
     description => "Get pool configuration.",
     parameters => {
diff --git a/PVE/API2/VZDump.pm b/PVE/API2/VZDump.pm
index 82dd9415..4093d82f 100644
--- a/PVE/API2/VZDump.pm
+++ b/PVE/API2/VZDump.pm
@@ -226,7 +226,7 @@ __PACKAGE__->register_method ({
 
 	my $pool = $res->{pool};
 	if (defined($pool) &&
-	    !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Allocate'], 1)) {
+	    !$rpcenv->check($authuser, "/pool/$pool", ['Pool.Audit'], 1)) {
 	    delete $res->{pool};
 	}
 
-- 
2.20.1





^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: add Pool.Audit permission
  2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
  2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner
  2021-05-20 10:03 ` [pve-devel] [PATCH v2 manager " Lorenz Stechauner
@ 2021-05-20 10:03 ` Lorenz Stechauner
  2021-06-01  9:06 ` [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: " Fabian Grünbichler
  3 siblings, 0 replies; 5+ messages in thread
From: Lorenz Stechauner @ 2021-05-20 10:03 UTC (permalink / raw)
  To: pve-devel

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
 pveum.adoc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pveum.adoc b/pveum.adoc
index 7120db7..71ea7ef 100644
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -449,6 +449,7 @@ Node / System related privileges::
 * `Sys.Modify`: create/remove/modify node network parameters
 * `Group.Allocate`: create/remove/modify groups
 * `Pool.Allocate`: create/remove/modify a pool
+* `Pool.Audit`: view a pool
 * `Realm.Allocate`: create/remove/modify authentication realms
 * `Realm.AllocateUser`: assign user to a realm
 * `User.Modify`: create/remove/modify user access and details.
-- 
2.20.1





^ permalink raw reply	[flat|nested] 5+ messages in thread

* [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission
  2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
                   ` (2 preceding siblings ...)
  2021-05-20 10:03 ` [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: " Lorenz Stechauner
@ 2021-06-01  9:06 ` Fabian Grünbichler
  3 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2021-06-01  9:06 UTC (permalink / raw)
  To: Proxmox VE development discussion

On May 20, 2021 12:03 pm, Lorenz Stechauner wrote:
> Note: compat breaking changes for Pool.Allocate permission
> 
> changes to v1:
> * docs patch now included
> * `/cluster/resources` now returns pool infomation for guests only if
>     the requesting user has the Pool.Audit permission on the pool
> 
> 
> 
> pve-manager:
> 
> Lorenz Stechauner (1):
>   fix #3402: add Pool.Audit permission
> 
>  PVE/API2/Cluster.pm | 7 ++++++-
>  PVE/API2/Pool.pm    | 7 ++++---
>  PVE/API2/VZDump.pm  | 2 +-
>  3 files changed, 11 insertions(+), 5 deletions(-)
> 
> 
> pve-access-control:
> 
> Lorenz Stechauner (1):
>   fix #3402: add Pool.Audit permission
> 
>  README                   | 1 +
>  src/PVE/AccessControl.pm | 8 ++++++--
>  2 files changed, 7 insertions(+), 2 deletions(-)
> 
> 
> pve-docs:
> 
> Lorenz Stechauner (1):
>   fix #3202: pveum: add Pool.Audit permission
> 
>  pveum.adoc | 1 +
>  1 file changed, 1 insertion(+)
> -- 
> 2.20.1
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 




^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-06-01  9:06 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-20 10:03 [pve-devel] [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: add Pool.Audit permission Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 access-control 1/1] " Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 manager " Lorenz Stechauner
2021-05-20 10:03 ` [pve-devel] [PATCH v2 docs 1/1] fix #3202: pveum: " Lorenz Stechauner
2021-06-01  9:06 ` [pve-devel] applied-series: [PATCH-SERIES v2 manager/access-conrol/docs] fix #3402: " Fabian Grünbichler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal