[PATCH manager/access-control 0/3] fix #7513: fine-grained ACL for node certificates

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

* [PATCH manager/access-control 0/3] fix #7513: fine-grained ACL for node certificates
@ 2026-05-28 11:35 Jakob Klocker
  2026-05-28 11:35 ` [PATCH access-control 1/3] fix #7513: acl: allow ACL access to /nodes/{node}/certificates path Jakob Klocker
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Jakob Klocker @ 2026-05-28 11:35 UTC (permalink / raw)
  To: pve-devel; +Cc: Jakob Klocker

Managing node certificates currently requires broad /nodes/{node}
permissions, which violates the least-privilege principle. This
series adds /nodes/{node}/certificates as a dedicated ACL path and
moves the relevant permission checks onto it, so certificate
management can be done without granting node-wide rights.

The pve-access-control patch registers the new ACL path and must be
applied first. The pve-manager patches depend on it for the API
permission checks and the GUI path selector.

pve-access-control:

Jakob Klocker (1):
  fix #7513: acl: allow ACL access to /nodes/{node}/certificates path

  src/PVE/AccessControl.pm           |  1 +
  1 files changed, 1 insertions(+), 0 deletions(-)

pve-manager:

Jakob Klocker (2):
  fix #7513: api: certs: change ACL on certificates path
  fix #7513: ui: perm path store: add per-node certificates ACL path

 PVE/API2/ACME.pm                   |  6 +++---
 PVE/API2/Certificates.pm           |  4 ++--
 www/manager6/data/PermPathStore.js | 11 +++++++++--
 3 files changed, 14 insertions(+), 7 deletions(-)

-- 
2.47.3

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH access-control 1/3] fix #7513: acl: allow ACL access to /nodes/{node}/certificates path
  2026-05-28 11:35 [PATCH manager/access-control 0/3] fix #7513: fine-grained ACL for node certificates Jakob Klocker
@ 2026-05-28 11:35 ` Jakob Klocker
  2026-05-28 11:35 ` [PATCH manager 2/3] fix #7513: api: certs: change ACL on certificates path Jakob Klocker
  2026-05-28 11:35 ` [PATCH manager 3/3] fix #7513: ui: perm path store: add per-node certificates ACL path Jakob Klocker
  2 siblings, 0 replies; 4+ messages in thread
From: Jakob Klocker @ 2026-05-28 11:35 UTC (permalink / raw)
  To: pve-devel; +Cc: Jakob Klocker

Currently access to /nodes/{node}/certificates requires /nodes/{node}
rights, this doesn't follow least-privilege best practice. Instead
of introducing a specific privilege, allow ACL access
to /nodes/{node}/certificates.

Link: https://bugzilla.proxmox.com/show_bug.cgi?id=7513
Signed-off-by: Jakob Klocker <j.klocker@proxmox.com>
---
 src/PVE/AccessControl.pm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 0d632b3..f005786 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -1289,6 +1289,7 @@ sub check_path {
 	|/access/realm/[[:alnum:]\.\-\_]+
 	|/nodes
 	|/nodes/[[:alnum:]\.\-\_]+
+	|/nodes/[[:alnum:]\.\-\_]+/certificates
 	|/pool
 	|/pool/[A-Za-z0-9\.\-_]+(?:/[A-Za-z0-9\.\-_]+){0,2}
 	|/sdn
-- 
2.47.3




^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH manager 2/3] fix #7513: api: certs: change ACL on certificates path
  2026-05-28 11:35 [PATCH manager/access-control 0/3] fix #7513: fine-grained ACL for node certificates Jakob Klocker
  2026-05-28 11:35 ` [PATCH access-control 1/3] fix #7513: acl: allow ACL access to /nodes/{node}/certificates path Jakob Klocker
@ 2026-05-28 11:35 ` Jakob Klocker
  2026-05-28 11:35 ` [PATCH manager 3/3] fix #7513: ui: perm path store: add per-node certificates ACL path Jakob Klocker
  2 siblings, 0 replies; 4+ messages in thread
From: Jakob Klocker @ 2026-05-28 11:35 UTC (permalink / raw)
  To: pve-devel; +Cc: Jakob Klocker

Endpoints under /nodes/{node}/certificates/* required
/nodes/{node} permission. To allow least-privileged for certification
changes, check the permissions on /nodes/{node}/certificates path
instead.

Link: https://bugzilla.proxmox.com/show_bug.cgi?id=7513
Signed-off-by: Jakob Klocker <j.klocker@proxmox.com>
---
 PVE/API2/ACME.pm         | 6 +++---
 PVE/API2/Certificates.pm | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/PVE/API2/ACME.pm b/PVE/API2/ACME.pm
index a948a72a..3f6679a0 100644
--- a/PVE/API2/ACME.pm
+++ b/PVE/API2/ACME.pm
@@ -160,7 +160,7 @@ __PACKAGE__->register_method({
     path => 'certificate',
     method => 'POST',
     permissions => {
-        check => ['perm', '/nodes/{node}', ['Sys.Modify']],
+        check => ['perm', '/nodes/{node}/certificates', ['Sys.Modify']],
     },
     description => "Order a new certificate from ACME-compatible CA.",
     protected => 1,
@@ -232,7 +232,7 @@ __PACKAGE__->register_method({
     path => 'certificate',
     method => 'PUT',
     permissions => {
-        check => ['perm', '/nodes/{node}', ['Sys.Modify']],
+        check => ['perm', '/nodes/{node}/certificates', ['Sys.Modify']],
     },
     description => "Renew existing certificate from CA.",
     protected => 1,
@@ -319,7 +319,7 @@ __PACKAGE__->register_method({
     path => 'certificate',
     method => 'DELETE',
     permissions => {
-        check => ['perm', '/nodes/{node}', ['Sys.Modify']],
+        check => ['perm', '/nodes/{node}/certificates', ['Sys.Modify']],
     },
     description => "Revoke existing certificate from CA.",
     protected => 1,
diff --git a/PVE/API2/Certificates.pm b/PVE/API2/Certificates.pm
index de8762c5..8da1e93b 100644
--- a/PVE/API2/Certificates.pm
+++ b/PVE/API2/Certificates.pm
@@ -87,7 +87,7 @@ __PACKAGE__->register_method({
     path => 'custom',
     method => 'POST',
     permissions => {
-        check => ['perm', '/nodes/{node}', ['Sys.Modify']],
+        check => ['perm', '/nodes/{node}/certificates', ['Sys.Modify']],
     },
     description => 'Upload or update custom certificate chain and key.',
     protected => 1,
@@ -165,7 +165,7 @@ __PACKAGE__->register_method({
     path => 'custom',
     method => 'DELETE',
     permissions => {
-        check => ['perm', '/nodes/{node}', ['Sys.Modify']],
+        check => ['perm', '/nodes/{node}/certificates', ['Sys.Modify']],
     },
     description => 'DELETE custom certificate chain and key.',
     protected => 1,
-- 
2.47.3




^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH manager 3/3] fix #7513: ui: perm path store: add per-node certificates ACL path
  2026-05-28 11:35 [PATCH manager/access-control 0/3] fix #7513: fine-grained ACL for node certificates Jakob Klocker
  2026-05-28 11:35 ` [PATCH access-control 1/3] fix #7513: acl: allow ACL access to /nodes/{node}/certificates path Jakob Klocker
  2026-05-28 11:35 ` [PATCH manager 2/3] fix #7513: api: certs: change ACL on certificates path Jakob Klocker
@ 2026-05-28 11:35 ` Jakob Klocker
  2 siblings, 0 replies; 4+ messages in thread
From: Jakob Klocker @ 2026-05-28 11:35 UTC (permalink / raw)
  To: pve-devel; +Cc: Jakob Klocker

Expose /nodes/{node}/certificates as a selectable path in the
permission path store, so the more fine-grained certificate ACL
can be assigned through the GUI.

Link: https://bugzilla.proxmox.com/show_bug.cgi?id=7513
Signed-off-by: Jakob Klocker <j.klocker@proxmox.com>
---
 www/manager6/data/PermPathStore.js | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/www/manager6/data/PermPathStore.js b/www/manager6/data/PermPathStore.js
index 7210e0cd..bc2112ad 100644
--- a/www/manager6/data/PermPathStore.js
+++ b/www/manager6/data/PermPathStore.js
@@ -34,9 +34,16 @@ Ext.define('PVE.data.PermPathStore', {
         PVE.data.ResourceStore.each(function (record) {
             let path;
             switch (record.get('type')) {
-                case 'node':
-                    path = '/nodes/' + record.get('text');
+                case 'node': {
+                    let nodename = record.get('text');
+                    path = '/nodes/' + nodename;
+                    let certpath = '/nodes/' + nodename + '/certificates';
+                    if (!donePaths[certpath]) {
+                        me.add({ value: certpath });
+                        donePaths[certpath] = 1;
+                    }
                     break;
+                }
                 case 'network':
                     path = '/sdn/' + record.get('network-type') + 's/' + record.get('network');
                     break;
-- 
2.47.3




^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-05-28 11:37 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-28 11:35 [PATCH manager/access-control 0/3] fix #7513: fine-grained ACL for node certificates Jakob Klocker
2026-05-28 11:35 ` [PATCH access-control 1/3] fix #7513: acl: allow ACL access to /nodes/{node}/certificates path Jakob Klocker
2026-05-28 11:35 ` [PATCH manager 2/3] fix #7513: api: certs: change ACL on certificates path Jakob Klocker
2026-05-28 11:35 ` [PATCH manager 3/3] fix #7513: ui: perm path store: add per-node certificates ACL path Jakob Klocker

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal