From: Fabian Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH-SERIES v2 manager/storage/container/qemu-server] improve check_volume_access
Date: Wed, 30 Mar 2022 12:24:26 +0200 [thread overview]
Message-ID: <20220330102437.46955-1-f.ebner@proxmox.com> (raw)
The first few patches are to allow access for users with
Datastore.Allocate privilege, without automatically giving them
permission to extract a backup config.
Patch storage 3/6 is in preparation for the import-from API, allowing
users with VM.Config.Disk (and Datastore.Audit) to list images of
their VMs.
The rest of the series introduces a content type parameter to
check_volume_access() for future-proofing.
Patch storage 2/6 technically breaks older manager, allowing all users
with Datastore.Allocate to extract backup configs, but I'm not sure
that's worth bothering about.
Dependency bumps for storage are needed for the content parameter to
actually have an effect.
Changes from v1:
* Always allow with Datastore.Allocate privilege.
* Also check for Datastore.Audit when listing guest images/rootdir
rather than just VM.Config.Disk.
manager:
Fabian Ebner (3):
api: vzdump: extract config: check for VM.Backup privilege
pveam: remove: add content type check
api: vzdump: extract config: add content type check
PVE/API2/VZDump.pm | 14 +++++++++++++-
PVE/CLI/pveam.pm | 2 +-
2 files changed, 14 insertions(+), 2 deletions(-)
storage:
Fabian Ebner (6):
pvesm: extract config: check for VM.Backup privilege
check volume access: always allow with Datastore.Allocate privilege
check volume access: allow for images/rootdir if user has
VM.Config.Disk
check volume accesss: add content type parameter
pvesm: extract config: add content type check
api: file restore: use check_volume_access to restrict content type
PVE/API2/Storage/FileRestore.pm | 12 ++++--------
PVE/CLI/pvesm.pm | 14 +++++++++++++-
PVE/Storage.pm | 15 ++++++++++++---
3 files changed, 29 insertions(+), 12 deletions(-)
container:
Fabian Ebner (1):
api: create/modify: add content type checks
src/PVE/API2/LXC.pm | 10 +++++++++-
src/PVE/LXC.pm | 9 ++++++++-
2 files changed, 17 insertions(+), 2 deletions(-)
qemu-server:
Fabian Ebner (1):
api: create/modify: add content type checks
PVE/API2/Qemu.pm | 27 ++++++++++++++++++++++++---
1 file changed, 24 insertions(+), 3 deletions(-)
--
2.30.2
next reply other threads:[~2022-03-30 10:25 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-30 10:24 Fabian Ebner [this message]
2022-03-30 10:24 ` [pve-devel] [PATCH v2 manager 1/3] api: vzdump: extract config: check for VM.Backup privilege Fabian Ebner
2022-03-30 10:24 ` [pve-devel] [PATCH v2 storage 1/6] pvesm: " Fabian Ebner
2022-03-30 10:24 ` [pve-devel] [PATCH v2 storage 2/6] check volume access: always allow with Datastore.Allocate privilege Fabian Ebner
2022-03-30 10:24 ` [pve-devel] [PATCH v2 storage 3/6] check volume access: allow for images/rootdir if user has VM.Config.Disk Fabian Ebner
2022-03-30 10:24 ` [pve-devel] [PATCH v2 storage 4/6] check volume accesss: add content type parameter Fabian Ebner
2022-03-30 10:24 ` [pve-devel] [PATCH v2 storage 5/6] pvesm: extract config: add content type check Fabian Ebner
2022-03-30 10:24 ` [pve-devel] [PATCH v2 storage 6/6] api: file restore: use check_volume_access to restrict content type Fabian Ebner
2022-03-30 10:24 ` [pve-devel] [PATCH v2 manager 2/3] pveam: remove: add content type check Fabian Ebner
2022-03-30 10:24 ` [pve-devel] [PATCH v2 manager 3/3] api: vzdump: extract config: " Fabian Ebner
2022-03-30 10:24 ` [pve-devel] [PATCH v2 container 1/1] api: create/modify: add content type checks Fabian Ebner
2022-03-30 10:24 ` [pve-devel] [PATCH v2 qemu-server " Fabian Ebner
2022-04-01 8:04 ` [pve-devel] applied-series: [PATCH-SERIES v2 manager/storage/container/qemu-server] improve check_volume_access Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220330102437.46955-1-f.ebner@proxmox.com \
--to=f.ebner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox