From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 5C5749170A for ; Mon, 14 Nov 2022 10:44:44 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5E916210B7 for ; Mon, 14 Nov 2022 10:44:13 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 14 Nov 2022 10:44:06 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5601E43D85 for ; Mon, 14 Nov 2022 10:44:06 +0100 (CET) From: Dominik Csapak To: pve-devel@lists.proxmox.com Date: Mon, 14 Nov 2022 10:43:48 +0100 Message-Id: <20221114094404.1241050-5-d.csapak@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221114094404.1241050-1-d.csapak@proxmox.com> References: <20221114094404.1241050-1-d.csapak@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: =?UTF-8?Q?0=0A=09?=AWL 0.065 Adjusted score from AWL reputation of From: =?UTF-8?Q?address=0A=09?=BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict =?UTF-8?Q?Alignment=0A=09?=SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF =?UTF-8?Q?Record=0A=09?=SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH cluster v9 4/4] datacenter.cfg: add tag rights control to the datacenter config X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Nov 2022 09:44:44 -0000 by adding a 'user-tag-privileges' and 'admin-tags' option. The first sets the policy by which "normal" users (with 'VM.Config.Options' on the respective guest) can create/delete tags and the second is a list of tags only settable by 'admins' ('Sys.Modify' on '/') also add a helper 'get_allowed_tags' that returns the allowed (existing) tags, the privileged tags, and if a user can enter 'freeform' tags. Signed-off-by: Dominik Csapak --- changes from v8: * renamed properties * improved descriptions * renamed get_user_admin_tag to get_allowed_tags and consider the user priviliges, also return if we allow 'freeform' tags * smaller bug fixes (e.g. list reference handling in join) data/PVE/DataCenterConfig.pm | 107 +++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+) diff --git a/data/PVE/DataCenterConfig.pm b/data/PVE/DataCenterConfig.pm index 532e5e5..b689942 100644 --- a/data/PVE/DataCenterConfig.pm +++ b/data/PVE/DataCenterConfig.pm @@ -154,6 +154,32 @@ my $tag_style_format = { }, }; +my $user_tag_privs_format = { + 'user-allow' => { + optional => 1, + type => 'string', + enum => ['none', 'list', 'existing', 'free'], + default => 'free', + description => "Controls tag usage for users without `Sys.Modify` on `/` bey either " + ."allowing `none`, a `list`, already `existing` or anything (`free`).", + verbose_description => "Controls which tags can be set or deleted on resources an user " + ."controls (such as guests). Users iwth the `Sys.Modify` privilege on `/` are always " + ." unrestricted. " + ."'none' means no tags are modifiable. " + ."'list' allows tags from the given list. " + ."'existing' means only already existing tags of resources able to access or from the" + ."given list. " + ."'free' means users can assign any tags." + }, + 'user-allow-list' => { + optional => 1, + type => 'string', + pattern => "${PVE::JSONSchema::PVE_TAG_RE}(?:\;${PVE::JSONSchema::PVE_TAG_RE})*", + typetext => "[;...]", + description => "List of tags users are allowed to set and delete (semicolon separated).", + }, +}; + my $datacenter_schema = { type => "object", additionalProperties => 0, @@ -285,12 +311,68 @@ my $datacenter_schema = { description => "Tag style options.", format => $tag_style_format, }, + 'user-tag-access' => { + optional => 1, + type => 'string', + description => "Privilege options for user settable tags", + format => $user_tag_privs_format, + }, + 'privileged-tags' => { + optional => 1, + type => 'string', + description => "A list of tags that require a `Sys.Modify` on '/') to set and delete. " + ."Tags set here that are also in 'user-tag-access' also require `Sys.Modify`.", + pattern => "(?:${PVE::JSONSchema::PVE_TAG_RE};)*${PVE::JSONSchema::PVE_TAG_RE}", + typetext => "[;...]", + }, }, }; # make schema accessible from outside (for documentation) sub get_datacenter_schema { return $datacenter_schema }; +# in scalar context, returns the list of allowed tags that exist +# in list context, returns a tuple of allowed tags, privileged tags, and if freeform is enabled +# +# requires an instance of rpcenv and a user to check the correct privileges for the allowed tags +sub get_allowed_tags { + my ($rpcenv, $user) = @_; + + my $privileged_user = $rpcenv->check($user, '/', ['Sys.Modify'], 1); + + my $dc = PVE::Cluster::cfs_read_file('datacenter.cfg'); + + my $freeform = 1; + my $allowed_tags = {}; + my $privileged_tags = {}; + if (my $tags = $dc->{'privileged-tags'}) { + $privileged_tags->{$_} = 1 for $tags->@*; + } + my $user_tag_privs = $dc->{'user-tag-access'} // {}; + my $user_allow = $user_tag_privs->{'user-allow'} // 'free'; + $freeform = $user_allow eq 'free'; + + if ($user_allow ne 'none' || $privileged_user) { + map { $allowed_tags->{$_} = 1 } ($user_tag_privs->{'user-allow-list'} // [])->@*; + } + + if ($user_allow eq 'free' || $user_allow eq 'existing' || $privileged_user) { + my $props = PVE::Cluster::get_guest_config_properties(['tags']); + for my $vmid (keys $props->%*) { + next if !$privileged_user && !$rpcenv->check_vm_perm($user, $vmid, undef, ['VM.Audit'], 1, 1); + map { $allowed_tags->{$_} = 1 } PVE::Tools::split_list($props->{$vmid}->{tags}); + } + } + + if ($privileged_user) { + $allowed_tags->{$_} = 1 for keys $privileged_tags->%*; + } else { + delete $allowed_tags->{$_} for keys $privileged_tags->%*; + } + + return wantarray ? ($allowed_tags, $privileged_tags, $freeform) : $allowed_tags; +} + sub parse_datacenter_config { my ($filename, $raw) = @_; @@ -333,6 +415,19 @@ sub parse_datacenter_config { $res->{'tag-style'} = parse_property_string($tag_style_format, $tag_style); } + if (my $user_tag_privs = $res->{'user-tag-access'}) { + $res->{'user-tag-access'} = + parse_property_string($user_tag_privs_format, $user_tag_privs); + + if (my $user_tags = $res->{'user-tag-access'}->{'user-allow-list'}) { + $res->{'user-tag-access'}->{'user-allow-list'} = [split(';', $user_tags)]; + } + } + + if (my $admin_tags = $res->{'privileged-tags'}) { + $res->{'privileged-tags'} = [split(';', $admin_tags)]; + } + # for backwards compatibility only, new migration property has precedence if (defined($res->{migration_unsecure})) { if (defined($res->{migration}->{type})) { @@ -396,6 +491,18 @@ sub write_datacenter_config { $cfg->{'tag-style'} = PVE::JSONSchema::print_property_string($tag_style, $tag_style_format); } + if (ref(my $user_tag_privs = $cfg->{'user-tag-access'})) { + if (my $user_tags = $user_tag_privs->{'user-allow-list'}) { + $user_tag_privs->{'user-allow-list'} = join(';', sort $user_tags->@*); + } + $cfg->{'user-tag-access'} = + PVE::JSONSchema::print_property_string($user_tag_privs, $user_tag_privs_format); + } + + if (ref(my $admin_tags = $cfg->{'privileged-tags'})) { + $cfg->{'privileged-tags'} = join(';', sort $admin_tags->@*); + } + my $comment = ''; # add description as comment to top of file my $description = $cfg->{description} || ''; -- 2.30.2