From: Dominik Csapak <d.csapak@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH access-control v4 1/1] add privileges and paths for cluster resource mapping
Date: Thu, 25 May 2023 12:17:44 +0200 [thread overview]
Message-ID: <20230525101753.2078811-3-d.csapak@proxmox.com> (raw)
In-Reply-To: <20230525101753.2078811-1-d.csapak@proxmox.com>
uses the privileges:
Resource.Use
Resource.Modify
on /resource/{TYPE}/{id}
so that we can assign privileges on resource level
this will generate new roles (PVEResourceUser, PVEResourceAdmin)
note that every user with Permissions.Modify on '/' and propagate can add these
new roles to themselves (Administrator and PVEAdmin roles currently have
this privilege)
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
src/PVE/AccessControl.pm | 20 +++++++++++++++++++-
src/PVE/RPCEnvironment.pm | 7 +++++--
2 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 89b7d90..d093970 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -1159,13 +1159,22 @@ my $privgroups = {
'Pool.Audit',
],
},
+ Resource => {
+ root => [],
+ admin => [
+ 'Resource.Modify',
+ ],
+ user => [
+ 'Resource.Use',
+ ],
+ },
};
my $valid_privs = {};
my $special_roles = {
'NoAccess' => {}, # no privileges
- 'Administrator' => $valid_privs, # all privileges
+ 'Administrator' => {}, # all privileges
};
sub create_roles {
@@ -1175,6 +1184,7 @@ sub create_roles {
foreach my $p (@{$cd->{root}}, @{$cd->{admin}},
@{$cd->{user}}, @{$cd->{audit}}) {
$valid_privs->{$p} = 1;
+ $special_roles->{"Administrator"}->{$p} = 1;
}
foreach my $p (@{$cd->{admin}}, @{$cd->{user}}, @{$cd->{audit}}) {
@@ -1191,6 +1201,11 @@ sub create_roles {
}
}
+ # remove Resource.Modify from Administrator and PVEAdmin, only
+ # root@pam and PVEResourceAdmin should be able to use that for now
+ delete $special_roles->{"Administrator"}->{"Resource.Modify"};
+ delete $special_roles->{"PVEAdmin"}->{"Resource.Modify"};
+
$special_roles->{"PVETemplateUser"} = { 'VM.Clone' => 1, 'VM.Audit' => 1 };
};
@@ -1288,6 +1303,9 @@ sub check_path {
|/storage/[[:alnum:]\.\-\_]+
|/vms
|/vms/[1-9][0-9]{2,}
+ |/resource
+ |/resource/[[:alnum:]\.\-\_]+/
+ |/resource/[[:alnum:]\.\-\_]+/[[:alnum:]\.\-\_]+
)$!xs;
}
diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
index 8586938..8454939 100644
--- a/src/PVE/RPCEnvironment.pm
+++ b/src/PVE/RPCEnvironment.pm
@@ -137,7 +137,9 @@ sub permissions {
if ($user eq 'root@pam') { # root can do anything
my $cfg = $self->{user_cfg};
- return { map { $_ => 1 } keys %{$cfg->{roles}->{'Administrator'}} };
+ my $permissions = { map { $_ => 1 } keys %{$cfg->{roles}->{'Administrator'}} };
+ $permissions->{"Resource.Modify"} = 1;
+ return $permissions;
}
if (!defined($path)) {
@@ -187,10 +189,11 @@ sub compute_api_permission {
nodes => qr/Sys\.|Permissions\.Modify/,
sdn => qr/SDN\.|Permissions\.Modify/,
dc => qr/Sys\.Audit|SDN\./,
+ resource => qr/Resource\./,
};
map { $res->{$_} = {} } keys %$priv_re_map;
- my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', '/sdn'];
+ my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', '/sdn', '/resource'];
my $defined_paths = [];
PVE::AccessControl::iterate_acl_tree("/", $usercfg->{acl_root}, sub {
my ($path, $node) = @_;
--
2.30.2
next prev parent reply other threads:[~2023-05-25 10:18 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-25 10:17 [pve-devel] [PATCH cluster/access-control/guest-common/qemu-server/manager v4] cluster mapping backend Dominik Csapak
2023-05-25 10:17 ` [pve-devel] [PATCH cluster v4 1/1] add cfg files for resource mapping Dominik Csapak
2023-06-05 9:11 ` [pve-devel] applied: " Thomas Lamprecht
2023-05-25 10:17 ` Dominik Csapak [this message]
2023-05-25 10:17 ` [pve-devel] [PATCH guest-common v4 1/1] add PCI/USB Resource configs Dominik Csapak
2023-05-25 10:40 ` Dominik Csapak
2023-05-25 10:17 ` [pve-devel] [PATCH qemu-server v4 1/6] enable cluster mapped USB devices for guests Dominik Csapak
2023-05-25 10:17 ` [pve-devel] [PATCH qemu-server v4 2/6] enable cluster mapped PCI " Dominik Csapak
2023-05-25 10:17 ` [pve-devel] [PATCH qemu-server v4 3/6] check_local_resources: extend for mapped resources Dominik Csapak
2023-05-25 10:17 ` [pve-devel] [PATCH qemu-server v4 4/6] api: migrate preconditions: use new check_local_resources info Dominik Csapak
2023-05-25 10:17 ` [pve-devel] [PATCH qemu-server v4 5/6] migration: check for mapped resources Dominik Csapak
2023-05-25 10:17 ` [pve-devel] [PATCH qemu-server v4 6/6] add test for mapped pci devices Dominik Csapak
2023-05-25 10:17 ` [pve-devel] [PATCH manager v4 1/2] pvesh: fix parameters for proxyto_callback Dominik Csapak
2023-05-25 10:17 ` [pve-devel] [PATCH manager v4 2/2] api: add resource map api endpoints for PCI and USB Dominik Csapak
2023-05-26 16:09 ` [pve-devel] [PATCH cluster/access-control/guest-common/qemu-server/manager v4] cluster mapping backend DERUMIER, Alexandre
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230525101753.2078811-3-d.csapak@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox