From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 6DE58A22EF for ; Sat, 17 Jun 2023 15:32:49 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 57C821B5C0 for ; Sat, 17 Jun 2023 15:32:49 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Sat, 17 Jun 2023 15:32:48 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 672FC460CD for ; Sat, 17 Jun 2023 15:32:48 +0200 (CEST) From: Thomas Lamprecht To: pve-devel@lists.proxmox.com Date: Sat, 17 Jun 2023 15:32:40 +0200 Message-Id: <20230617133241.3052198-1-t.lamprecht@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.080 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] applied: [PATCH 1/2] disk api: avoid using unrelated Datastore.Audit priv for disk management X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Jun 2023 13:32:49 -0000 Local disk and storage creation and listing is something rather different than the Proxmox VE storage client ABI that provides an abstract access to a variety of storage types, specifically targeted to virtual guests images, templates and backups. The Datastore.* privilege group is specifically made for auditing the abstract configuration, here the name must be interpreted in context and not just assumed that due to "datastore" sounding like it could have to do something with disks or creation of local storage it just must be a good fit. Luckily, Sys.Audit was already used too, which is the correct one here, this is for node specific (HW) details, not some config for accessing datastore in a restricted way. This is a step in splitting the disk manage code out of the pve-storage package, and maybe even repository. Signed-off-by: Thomas Lamprecht --- src/PVE/API2/Disks.pm | 7 ++----- src/PVE/API2/Disks/Directory.pm | 2 +- src/PVE/API2/Disks/LVM.pm | 2 +- src/PVE/API2/Disks/LVMThin.pm | 2 +- src/PVE/API2/Disks/ZFS.pm | 4 ++-- 5 files changed, 7 insertions(+), 10 deletions(-) diff --git a/src/PVE/API2/Disks.pm b/src/PVE/API2/Disks.pm index bde6132..f0e3fc4 100644 --- a/src/PVE/API2/Disks.pm +++ b/src/PVE/API2/Disks.pm @@ -85,10 +85,7 @@ __PACKAGE__->register_method ({ protected => 1, proxyto => 'node', permissions => { - check => ['or', - ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1], - ['perm', '/nodes/{node}', ['Sys.Audit', 'Datastore.Audit'], any => 1], - ], + check => ['or', ['perm', '/', ['Sys.Audit']], ['perm', '/nodes/{node}', ['Sys.Audit']]], }, parameters => { additionalProperties => 0, @@ -183,7 +180,7 @@ __PACKAGE__->register_method ({ protected => 1, proxyto => "node", permissions => { - check => ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1], + check => ['perm', '/', ['Sys.Audit']], }, parameters => { additionalProperties => 0, diff --git a/src/PVE/API2/Disks/Directory.pm b/src/PVE/API2/Disks/Directory.pm index efc701a..5cddddb 100644 --- a/src/PVE/API2/Disks/Directory.pm +++ b/src/PVE/API2/Disks/Directory.pm @@ -97,7 +97,7 @@ __PACKAGE__->register_method ({ proxyto => 'node', protected => 1, permissions => { - check => ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1], + check => ['perm', '/', ['Sys.Audit']], }, description => "PVE Managed Directory storages.", parameters => { diff --git a/src/PVE/API2/Disks/LVM.pm b/src/PVE/API2/Disks/LVM.pm index c091e37..f0419f6 100644 --- a/src/PVE/API2/Disks/LVM.pm +++ b/src/PVE/API2/Disks/LVM.pm @@ -21,7 +21,7 @@ __PACKAGE__->register_method ({ proxyto => 'node', protected => 1, permissions => { - check => ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1], + check => ['perm', '/', ['Sys.Audit']], }, description => "List LVM Volume Groups", parameters => { diff --git a/src/PVE/API2/Disks/LVMThin.pm b/src/PVE/API2/Disks/LVMThin.pm index 89b6401..bd6d47b 100644 --- a/src/PVE/API2/Disks/LVMThin.pm +++ b/src/PVE/API2/Disks/LVMThin.pm @@ -22,7 +22,7 @@ __PACKAGE__->register_method ({ proxyto => 'node', protected => 1, permissions => { - check => ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1], + check => ['perm', '/', ['Sys.Audit']], }, description => "List LVM thinpools", parameters => { diff --git a/src/PVE/API2/Disks/ZFS.pm b/src/PVE/API2/Disks/ZFS.pm index afd9a3e..6a4381c 100644 --- a/src/PVE/API2/Disks/ZFS.pm +++ b/src/PVE/API2/Disks/ZFS.pm @@ -57,7 +57,7 @@ __PACKAGE__->register_method ({ proxyto => 'node', protected => 1, permissions => { - check => ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1], + check => ['perm', '/', ['Sys.Audit']], }, description => "List Zpools.", parameters => { @@ -130,7 +130,7 @@ __PACKAGE__->register_method ({ proxyto => 'node', protected => 1, permissions => { - check => ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1], + check => ['perm', '/', ['Sys.Audit']], }, description => "Get details about a zpool.", parameters => { -- 2.39.2