From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id E51BF9E183 for ; Tue, 6 Jun 2023 15:52:55 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C6BDF3627C for ; Tue, 6 Jun 2023 15:52:25 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 6 Jun 2023 15:52:23 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id AD7C048C87 for ; Tue, 6 Jun 2023 15:52:23 +0200 (CEST) From: Dominik Csapak To: pve-devel@lists.proxmox.com Date: Tue, 6 Jun 2023 15:52:00 +0200 Message-Id: <20230606135222.984747-2-d.csapak@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230606135222.984747-1-d.csapak@proxmox.com> References: <20230606135222.984747-1-d.csapak@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.135 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH access-control v5 1/1] add privileges and paths for cluster resource mapping X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2023 13:52:55 -0000 uses the privileges: Mapping.Use Mapping.Modify Mapping.Audit on /mapping/{TYPE}/{id} so that we can assign privileges on resource level this will generate new roles (PVEMappingUser, PVEMappingAdmin, PVEMappingAuditor) note that every user with Permissions.Modify on '/' and propagate can add these new roles to themselves Signed-off-by: Dominik Csapak --- changes from v4: * administrator retains the mapping privs * add Mapping.Audit priv * slight modification of the regex for types only (remove trailing slash) * add Permissions.Modify to regex of compute_api_permission src/PVE/AccessControl.pm | 19 +++++++++++++++++++ src/PVE/RPCEnvironment.pm | 3 ++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm index c1ade4e..b903c96 100644 --- a/src/PVE/AccessControl.pm +++ b/src/PVE/AccessControl.pm @@ -1116,6 +1116,18 @@ my $privgroups = { 'Pool.Audit', ], }, + Mapping => { + root => [], + admin => [ + 'Mapping.Modify', + ], + user => [ + 'Mapping.Use', + ], + audit => [ + 'Mapping.Audit', + ], + }, }; my $valid_privs = {}; @@ -1148,6 +1160,10 @@ sub create_roles { } } + # remove Mapping.Modify from PVEAdmin, only Administrator, root@pam and + # PVEMappingAdmin should be able to use that for now + delete $special_roles->{"PVEAdmin"}->{"Mapping.Modify"}; + $special_roles->{"PVETemplateUser"} = { 'VM.Clone' => 1, 'VM.Audit' => 1 }; }; @@ -1245,6 +1261,9 @@ sub check_path { |/storage/[[:alnum:]\.\-\_]+ |/vms |/vms/[1-9][0-9]{2,} + |/mapping + |/mapping/[[:alnum:]\.\-\_]+ + |/mapping/[[:alnum:]\.\-\_]+/[[:alnum:]\.\-\_]+ )$!xs; } diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm index 8586938..3eb0800 100644 --- a/src/PVE/RPCEnvironment.pm +++ b/src/PVE/RPCEnvironment.pm @@ -187,10 +187,11 @@ sub compute_api_permission { nodes => qr/Sys\.|Permissions\.Modify/, sdn => qr/SDN\.|Permissions\.Modify/, dc => qr/Sys\.Audit|SDN\./, + mapping => qr/Mapping\.|Permissions.Modify/, }; map { $res->{$_} = {} } keys %$priv_re_map; - my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', '/sdn']; + my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', '/sdn', '/mapping']; my $defined_paths = []; PVE::AccessControl::iterate_acl_tree("/", $usercfg->{acl_root}, sub { my ($path, $node) = @_; -- 2.30.2