From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 05F00A22ED for ; Sat, 17 Jun 2023 15:32:49 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id CE8171B5BF for ; Sat, 17 Jun 2023 15:32:48 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Sat, 17 Jun 2023 15:32:48 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id B84A0460D0 for ; Sat, 17 Jun 2023 15:32:47 +0200 (CEST) From: Thomas Lamprecht To: pve-devel@lists.proxmox.com Date: Sat, 17 Jun 2023 15:32:41 +0200 Message-Id: <20230617133241.3052198-2-t.lamprecht@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230617133241.3052198-1-t.lamprecht@proxmox.com> References: <20230617133241.3052198-1-t.lamprecht@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.230 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [zfs.pm, directory.pm, lvm.pm, lvmthin.pm] Subject: [pve-devel] applied: [PATCH 2/2] disk api: only ask for Datastore.Allocate if adding to storage config X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Jun 2023 13:32:49 -0000 The Proxmox VE storage systems doesn't cares at all if the Datastore.Allocate privilege is present if no Proxmox VE storage will be allocated. Note, if we want to restrict this further as Sys.Modify on /, which is already quite a powerful permission, we should probably add a new one under the Sys. space, e.g., Sys.Disk.Use or the like. This is a step in splitting the disk manage code out of the pve-storage package, and maybe even repository Signed-off-by: Thomas Lamprecht --- src/PVE/API2/Disks/Directory.pm | 10 ++++++++-- src/PVE/API2/Disks/LVM.pm | 10 ++++++++-- src/PVE/API2/Disks/LVMThin.pm | 10 ++++++++-- src/PVE/API2/Disks/ZFS.pm | 10 ++++++++-- 4 files changed, 32 insertions(+), 8 deletions(-) diff --git a/src/PVE/API2/Disks/Directory.pm b/src/PVE/API2/Disks/Directory.pm index 5cddddb..099afae 100644 --- a/src/PVE/API2/Disks/Directory.pm +++ b/src/PVE/API2/Disks/Directory.pm @@ -165,7 +165,8 @@ __PACKAGE__->register_method ({ proxyto => 'node', protected => 1, permissions => { - check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']], + description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'add_storage'", + check => ['perm', '/', ['Sys.Modify']], }, description => "Create a Filesystem on an unused disk. Will be mounted under '/mnt/pve/NAME'.", parameters => { @@ -221,6 +222,8 @@ __PACKAGE__->register_method ({ my $verify_params = [qw(path)]; if ($param->{add_storage}) { + $rpcenv->check($user, "/storage", ['Datastore.Allocate']); + # reserve the name and add as disabled, will be enabled below if creation works out PVE::API2::Storage::Config->create_or_update( $name, $node, $storage_params, $verify_params, 1); @@ -317,7 +320,8 @@ __PACKAGE__->register_method ({ proxyto => 'node', protected => 1, permissions => { - check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']], + description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'cleanup-config'", + check => ['perm', '/', ['Sys.Modify']], }, description => "Unmounts the storage and removes the mount unit.", parameters => { @@ -347,6 +351,8 @@ __PACKAGE__->register_method ({ my $rpcenv = PVE::RPCEnvironment::get(); my $user = $rpcenv->get_user(); + $rpcenv->check($user, "/storage", ['Datastore.Allocate']) if $param->{'cleanup-config'}; + my $name = $param->{name}; my $node = $param->{node}; diff --git a/src/PVE/API2/Disks/LVM.pm b/src/PVE/API2/Disks/LVM.pm index f0419f6..3c5bdfa 100644 --- a/src/PVE/API2/Disks/LVM.pm +++ b/src/PVE/API2/Disks/LVM.pm @@ -117,7 +117,8 @@ __PACKAGE__->register_method ({ proxyto => 'node', protected => 1, permissions => { - check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']], + description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'add_storage'", + check => ['perm', '/', ['Sys.Modify']], }, description => "Create an LVM Volume Group", parameters => { @@ -162,6 +163,8 @@ __PACKAGE__->register_method ({ my $verify_params = [qw(vgname)]; if ($param->{add_storage}) { + $rpcenv->check($user, "/storage", ['Datastore.Allocate']); + # reserve the name and add as disabled, will be enabled below if creation works out PVE::API2::Storage::Config->create_or_update( $name, $node, $storage_params, $verify_params, 1); @@ -199,7 +202,8 @@ __PACKAGE__->register_method ({ proxyto => 'node', protected => 1, permissions => { - check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']], + description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'cleanup-config'", + check => ['perm', '/', ['Sys.Modify']], }, description => "Remove an LVM Volume Group.", parameters => { @@ -229,6 +233,8 @@ __PACKAGE__->register_method ({ my $rpcenv = PVE::RPCEnvironment::get(); my $user = $rpcenv->get_user(); + $rpcenv->check($user, "/storage", ['Datastore.Allocate']) if $param->{'cleanup-config'}; + my $name = $param->{name}; my $node = $param->{node}; diff --git a/src/PVE/API2/Disks/LVMThin.pm b/src/PVE/API2/Disks/LVMThin.pm index bd6d47b..f1c3957 100644 --- a/src/PVE/API2/Disks/LVMThin.pm +++ b/src/PVE/API2/Disks/LVMThin.pm @@ -75,7 +75,8 @@ __PACKAGE__->register_method ({ proxyto => 'node', protected => 1, permissions => { - check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']], + description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'add_storage'", + check => ['perm', '/', ['Sys.Modify']], }, description => "Create an LVM thinpool", parameters => { @@ -120,6 +121,8 @@ __PACKAGE__->register_method ({ my $verify_params = [qw(vgname thinpool)]; if ($param->{add_storage}) { + $rpcenv->check($user, "/storage", ['Datastore.Allocate']); + # reserve the name and add as disabled, will be enabled below if creation works out PVE::API2::Storage::Config->create_or_update( $name, $node, $storage_params, $verify_params, 1); @@ -178,7 +181,8 @@ __PACKAGE__->register_method ({ proxyto => 'node', protected => 1, permissions => { - check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']], + description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'cleanup-config'", + check => ['perm', '/', ['Sys.Modify']], }, description => "Remove an LVM thin pool.", parameters => { @@ -209,6 +213,8 @@ __PACKAGE__->register_method ({ my $rpcenv = PVE::RPCEnvironment::get(); my $user = $rpcenv->get_user(); + $rpcenv->check($user, "/storage", ['Datastore.Allocate']) if $param->{'cleanup-config'}; + my $vg = $param->{'volume-group'}; my $lv = $param->{name}; my $node = $param->{node}; diff --git a/src/PVE/API2/Disks/ZFS.pm b/src/PVE/API2/Disks/ZFS.pm index 6a4381c..6fb6bd6 100644 --- a/src/PVE/API2/Disks/ZFS.pm +++ b/src/PVE/API2/Disks/ZFS.pm @@ -300,7 +300,8 @@ __PACKAGE__->register_method ({ proxyto => 'node', protected => 1, permissions => { - check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']], + description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'add_storage'", + check => ['perm', '/', ['Sys.Modify']], }, description => "Create a ZFS pool.", parameters => { @@ -383,6 +384,8 @@ __PACKAGE__->register_method ({ my $verify_params = [qw(pool)]; if ($param->{add_storage}) { + $rpcenv->check($user, "/storage", ['Datastore.Allocate']); + # reserve the name and add as disabled, will be enabled below if creation works out PVE::API2::Storage::Config->create_or_update( $name, $node, $storage_params, $verify_params, 1); @@ -507,7 +510,8 @@ __PACKAGE__->register_method ({ proxyto => 'node', protected => 1, permissions => { - check => ['perm', '/', ['Sys.Modify', 'Datastore.Allocate']], + description => "Requires additionally 'Datastore.Allocate' on /storage when setting 'cleanup-config'", + check => ['perm', '/', ['Sys.Modify']], }, description => "Destroy a ZFS pool.", parameters => { @@ -537,6 +541,8 @@ __PACKAGE__->register_method ({ my $rpcenv = PVE::RPCEnvironment::get(); my $user = $rpcenv->get_user(); + $rpcenv->check($user, "/storage", ['Datastore.Allocate']) if $param->{'cleanup-config'}; + my $name = $param->{name}; my $node = $param->{node}; -- 2.39.2