From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH access-control] add Sys.AccessNetwork privilege
Date: Mon, 19 Feb 2024 18:14:09 +0100 [thread overview]
Message-ID: <20240219171412.1576651-2-t.lamprecht@proxmox.com> (raw)
In-Reply-To: <20240219171412.1576651-1-t.lamprecht@proxmox.com>
We have some API endpoints that can access the network from the POV of
a Proxmox VE node, like e.g., the one for downloading a template/ISO
image directly to a PVE storage from an HTTP URL, and the matching
query-url-metadata that makes this functionality much more convenient
to use in the UI. But the downside of such calls is naturally that
they basically allow to scan the whole network via HTTP URLs, and
potentially even download some image that the user should not have
access to and adding to a VM that the user controls.
Due to that we limited the exposure of those API endpoints to
Sys.Modify on / (in addition to e.g. basic storage privs) for the
initial addition of the feature, as we were not sure about user
adoption and if a separate privilege could be justified.
Since we got a handful requests like #5254 this justification is now
met, so add a 'Sys.AccessNetwork' privilege.
That name should make it clear that having that privilege will allow
access to the network and the sys(tem) prefix should underline that
it's about the host systems network. Add it such, that it will only be
available for the most powerful of our built-in special roles, namely
the Administration one, besides naturally the all-powerful root@pam
special user.
Admins can then e.g. create new roles that include Sys.AccessNetwork
and Datastore.AllocateTemplate which can then be used for allowing
automation to download images while adhering to the Least Privilege
Principle.
Buglink: https://bugzilla.proxmox.com/show_bug.cgi?id=5254
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
src/PVE/AccessControl.pm | 1 +
src/test/perm-test1.pl | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 25fc0d9..faea70d 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -1065,6 +1065,7 @@ my $privgroups = {
'Sys.PowerMgmt',
'Sys.Modify', # edit/change node settings
'Sys.Incoming', # incoming storage/guest migrations
+ 'Sys.AccessNetwork', # for, e.g., downloading ISOs from any URL
],
admin => [
'Sys.Console',
diff --git a/src/test/perm-test1.pl b/src/test/perm-test1.pl
index 27aadeb..df9fe90 100755
--- a/src/test/perm-test1.pl
+++ b/src/test/perm-test1.pl
@@ -79,7 +79,7 @@ check_permission(
. 'Pool.Allocate,Pool.Audit,'
. 'Realm.Allocate,Realm.AllocateUser,'
. 'SDN.Allocate,SDN.Audit,SDN.Use,'
- . 'Sys.Audit,Sys.Console,Sys.Incoming,Sys.Modify,Sys.PowerMgmt,Sys.Syslog,'
+ . 'Sys.AccessNetwork,Sys.Audit,Sys.Console,Sys.Incoming,Sys.Modify,Sys.PowerMgmt,Sys.Syslog,'
. 'User.Modify,'
. 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
. 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
--
2.39.2
next prev parent reply other threads:[~2024-02-19 17:14 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-19 17:14 [pve-devel] fix #5254: add separate " Thomas Lamprecht
2024-02-19 17:14 ` Thomas Lamprecht [this message]
2024-02-19 17:14 ` [pve-devel] [PATCH storage:] fix #5254: api: allow usage of download-url with Sys.AccessNetwork Thomas Lamprecht
2024-02-19 17:14 ` [pve-devel] [PATCH manager 1/2] api: nodes: allow usage of query url metadata " Thomas Lamprecht
2024-02-19 17:14 ` [pve-devel] [PATCH manager 2/2] ui: storage: enable download-url button with Sys.AccessNetwork capability Thomas Lamprecht
2024-02-19 17:25 ` [pve-devel] fix #5254: add separate Sys.AccessNetwork privilege Thomas Lamprecht
2024-02-20 15:51 ` Hannes Dürr
2024-02-23 10:21 ` Fabian Grünbichler
2024-02-28 14:55 ` [pve-devel] applied-series: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240219171412.1576651-2-t.lamprecht@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox