From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 728818CDD for ; Wed, 16 Nov 2022 16:48:55 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 83CF621F63 for ; Wed, 16 Nov 2022 16:48:23 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 16 Nov 2022 16:48:18 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 05C194404B for ; Wed, 16 Nov 2022 16:48:18 +0100 (CET) From: Dominik Csapak To: pve-devel@lists.proxmox.com Date: Wed, 16 Nov 2022 16:48:04 +0100 Message-Id: <20221116154815.358385-11-d.csapak@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20221116154815.358385-1-d.csapak@proxmox.com> References: <20221116154815.358385-1-d.csapak@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: =?UTF-8?Q?0=0A=09?=AWL 0.065 Adjusted score from AWL reputation of From: =?UTF-8?Q?address=0A=09?=BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict =?UTF-8?Q?Alignment=0A=09?=SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF =?UTF-8?Q?Record=0A=09?=SPF_PASS -0.001 SPF: sender matches SPF =?UTF-8?Q?record=0A=09?=URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [cluster.pm, api2.pm] Subject: [pve-devel] [PATCH manager v11 02/13] api: allow all users to (partially) read datacenter.cfg X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2022 15:48:55 -0000 it contains most ui relevant options, like the console preference and tag-style so allow these for users without 'Sys.Audit' on '/' (unchanged for all others) we also add the list of allowed tags. while not strictly a datacenter config, it's derived from the current users privileges and the datacenter config. Signed-off-by: Dominik Csapak --- PVE/API2.pm | 3 ++- PVE/API2/Cluster.pm | 24 ++++++++++++++++++++++-- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/PVE/API2.pm b/PVE/API2.pm index a42561604..6703b941a 100644 --- a/PVE/API2.pm +++ b/PVE/API2.pm @@ -5,6 +5,7 @@ use warnings; use PVE::pvecfg; use PVE::DataCenterConfig; +use PVE::GuestHelpers; use PVE::RESTHandler; use PVE::JSONSchema; @@ -118,6 +119,7 @@ __PACKAGE__->register_method ({ my $res = {}; + # TODO remove with next major release my $datacenter_confg = eval { PVE::Cluster::cfs_read_file('datacenter.cfg') } // {}; for my $k (qw(console)) { $res->{$k} = $datacenter_confg->{$k} if exists $datacenter_confg->{$k}; @@ -129,5 +131,4 @@ __PACKAGE__->register_method ({ return $res; }}); - 1; diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm index 3ca85caa4..a06dc83a2 100644 --- a/PVE/API2/Cluster.pm +++ b/PVE/API2/Cluster.pm @@ -10,6 +10,7 @@ use PVE::Cluster qw(cfs_register_file cfs_lock_file cfs_read_file cfs_write_file use PVE::DataCenterConfig; use PVE::Exception qw(raise_param_exc); use PVE::Firewall; +use PVE::GuestHelpers; use PVE::HA::Config; use PVE::HA::Env::PVE2; use PVE::INotify; @@ -542,8 +543,9 @@ __PACKAGE__->register_method({ name => 'get_options', path => 'options', method => 'GET', - description => "Get datacenter options.", + description => "Get datacenter options. Without 'Sys.Audit' on '/' not all options are returned.", permissions => { + user => 'all', check => ['perm', '/', [ 'Sys.Audit' ]], }, parameters => { @@ -557,7 +559,25 @@ __PACKAGE__->register_method({ code => sub { my ($param) = @_; - return PVE::Cluster::cfs_read_file('datacenter.cfg'); + my $res = {}; + + my $rpcenv = PVE::RPCEnvironment::get(); + my $authuser = $rpcenv->get_user(); + + my $datacenter_config = eval { PVE::Cluster::cfs_read_file('datacenter.cfg') } // {}; + + if ($rpcenv->check($authuser, '/', ['Sys.Audit'], 1)) { + $res = $datacenter_config; + } else { + for my $k (qw(console tag-style)) { + $res->{$k} = $datacenter_config->{$k} if exists $datacenter_config->{$k}; + } + } + + my $tags = PVE::GuestHelpers::get_allowed_tags($rpcenv, $authuser); + $res->{'allowed-tags'} = [sort keys $tags->%*]; + + return $res; }}); __PACKAGE__->register_method({ -- 2.30.2