* [pve-devel] [PATCH access-control 1/2] acl: allow more nesting for /mapping acl paths
@ 2023-11-07 12:46 Lukas Wagner
2023-11-07 12:46 ` [pve-devel] [PATCH manager 2/2] api: notifications: give targets and matchers their own ACL namespace Lukas Wagner
2023-11-10 8:18 ` [pve-devel] [PATCH access-control 1/2] acl: allow more nesting for /mapping acl paths Thomas Lamprecht
0 siblings, 2 replies; 5+ messages in thread
From: Lukas Wagner @ 2023-11-07 12:46 UTC (permalink / raw)
To: pve-devel
This will be needed for ACL paths for the notification system,
which will get separate namespaces for targets and matchers:
/mapping/notification/targets/<name>
as well as
/mapping/notification/matchers/<name>
Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
src/PVE/AccessControl.pm | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index cc0f00b..22aef69 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -1277,6 +1277,7 @@ sub check_path {
|/mapping
|/mapping/[[:alnum:]\.\-\_]+
|/mapping/[[:alnum:]\.\-\_]+/[[:alnum:]\.\-\_]+
+ |/mapping/[[:alnum:]\.\-\_]+/[[:alnum:]\.\-\_]+/[[:alnum:]\.\-\_]+
)$!xs;
}
--
2.39.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH manager 2/2] api: notifications: give targets and matchers their own ACL namespace
2023-11-07 12:46 [pve-devel] [PATCH access-control 1/2] acl: allow more nesting for /mapping acl paths Lukas Wagner
@ 2023-11-07 12:46 ` Lukas Wagner
2023-11-10 8:18 ` [pve-devel] [PATCH access-control 1/2] acl: allow more nesting for /mapping acl paths Thomas Lamprecht
1 sibling, 0 replies; 5+ messages in thread
From: Lukas Wagner @ 2023-11-07 12:46 UTC (permalink / raw)
To: pve-devel
Right now, matchers and targets share a single namespace due to
limitations of the section-config parser. This will probably be fixed
some time in the future.
As a preparation for that we need to ensure that the ACL tree has
separate namespaces for both.
Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
---
This patch requires the pve-manager patches from my notification
revamp patch series.
PVE/API2/Cluster/Notifications.pm | 55 +++++++++++++++----------------
1 file changed, 27 insertions(+), 28 deletions(-)
diff --git a/PVE/API2/Cluster/Notifications.pm b/PVE/API2/Cluster/Notifications.pm
index 8f716f26..6ff6d89e 100644
--- a/PVE/API2/Cluster/Notifications.pm
+++ b/PVE/API2/Cluster/Notifications.pm
@@ -57,7 +57,7 @@ sub raise_api_error {
}
sub filter_entities_by_privs {
- my ($rpcenv, $entities) = @_;
+ my ($rpcenv, $prefix, $entities) = @_;
my $authuser = $rpcenv->get_user();
my $can_see_mapping_privs = ['Mapping.Modify', 'Mapping.Use', 'Mapping.Audit'];
@@ -65,7 +65,7 @@ sub filter_entities_by_privs {
my $filtered = [grep {
$rpcenv->check_any(
$authuser,
- "/mapping/notification/$_->{name}",
+ "/mapping/notification/$prefix/$_->{name}",
$can_see_mapping_privs,
1
);
@@ -138,8 +138,7 @@ __PACKAGE__->register_method ({
description => 'Returns a list of all entities that can be used as notification targets.',
permissions => {
description => "Only lists entries where you have 'Mapping.Modify', 'Mapping.Use' or"
- . " 'Mapping.Audit' permissions on '/mapping/notification/<name>'."
- . " The special 'mail-to-root' target is available to all users.",
+ . " 'Mapping.Audit' permissions on '/mapping/notification/targets/<name>'.",
user => 'all',
},
protected => 1,
@@ -199,7 +198,7 @@ __PACKAGE__->register_method ({
raise_api_error($@) if $@;
- return filter_entities_by_privs($rpcenv, $targets);
+ return filter_entities_by_privs($rpcenv, "targets", $targets);
}
});
@@ -211,7 +210,7 @@ __PACKAGE__->register_method ({
description => 'Send a test notification to a provided target.',
permissions => {
description => "The user requires 'Mapping.Modify', 'Mapping.Use' or"
- . " 'Mapping.Audit' permissions on '/mapping/notification/<name>'."
+ . " 'Mapping.Audit' permissions on '/mapping/notification/targets/<name>'."
. " The special 'mail-to-root' target can be accessed by all users.",
user => 'all',
},
@@ -236,7 +235,7 @@ __PACKAGE__->register_method ({
$rpcenv->check_any(
$authuser,
- "/mapping/notification/$name",
+ "/mapping/notification/targets/$name",
$privs,
);
@@ -299,7 +298,7 @@ __PACKAGE__->register_method ({
description => 'Returns a list of all sendmail endpoints',
permissions => {
description => "Only lists entries where you have 'Mapping.Modify', 'Mapping.Use' or"
- . " 'Mapping.Audit' permissions on '/mapping/notification/<name>'.",
+ . " 'Mapping.Audit' permissions on '/mapping/notification/targets/<name>'.",
user => 'all',
},
protected => 1,
@@ -324,7 +323,7 @@ __PACKAGE__->register_method ({
};
raise_api_error($@) if $@;
- return filter_entities_by_privs($rpcenv, $entities);
+ return filter_entities_by_privs($rpcenv, "targets", $entities);
}
});
@@ -335,8 +334,8 @@ __PACKAGE__->register_method ({
description => 'Return a specific sendmail endpoint',
permissions => {
check => ['or',
- ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
- ['perm', '/mapping/notification/{name}', ['Mapping.Audit']],
+ ['perm', '/mapping/notification/targets/{name}', ['Mapping.Modify']],
+ ['perm', '/mapping/notification/targets/{name}', ['Mapping.Audit']],
],
},
protected => 1,
@@ -380,7 +379,7 @@ __PACKAGE__->register_method ({
method => 'POST',
description => 'Create a new sendmail endpoint',
permissions => {
- check => ['perm', '/mapping/notification', ['Mapping.Modify']],
+ check => ['perm', '/mapping/notification/targets', ['Mapping.Modify']],
},
parameters => {
additionalProperties => 0,
@@ -426,7 +425,7 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing sendmail endpoint',
permissions => {
- check => ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
+ check => [ 'perm', '/mapping/notification/targets/{name}', ['Mapping.Modify']],
},
parameters => {
additionalProperties => 0,
@@ -490,7 +489,7 @@ __PACKAGE__->register_method ({
method => 'DELETE',
description => 'Remove sendmail endpoint',
permissions => {
- check => ['perm', '/mapping/notification', ['Mapping.Modify']],
+ check => ['perm', '/mapping/notification/targets', ['Mapping.Modify']],
},
parameters => {
additionalProperties => 0,
@@ -548,7 +547,7 @@ __PACKAGE__->register_method ({
protected => 1,
permissions => {
description => "Only lists entries where you have 'Mapping.Modify', 'Mapping.Use' or"
- . " 'Mapping.Audit' permissions on '/mapping/notification/<name>'.",
+ . " 'Mapping.Audit' permissions on '/mapping/notification/targets/<name>'.",
user => 'all',
},
parameters => {
@@ -572,7 +571,7 @@ __PACKAGE__->register_method ({
};
raise_api_error($@) if $@;
- return filter_entities_by_privs($rpcenv, $entities);
+ return filter_entities_by_privs($rpcenv, "targets", $entities);
}
});
@@ -584,8 +583,8 @@ __PACKAGE__->register_method ({
protected => 1,
permissions => {
check => ['or',
- ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
- ['perm', '/mapping/notification/{name}', ['Mapping.Audit']],
+ ['perm', '/mapping/notification/targets/{name}', ['Mapping.Modify']],
+ ['perm', '/mapping/notification/targets/{name}', ['Mapping.Audit']],
],
},
parameters => {
@@ -628,7 +627,7 @@ __PACKAGE__->register_method ({
method => 'POST',
description => 'Create a new gotify endpoint',
permissions => {
- check => ['perm', '/mapping/notification', ['Mapping.Modify']],
+ check => ['perm', '/mapping/notification/targets', ['Mapping.Modify']],
},
parameters => {
additionalProperties => 0,
@@ -670,7 +669,7 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing gotify endpoint',
permissions => {
- check => ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
+ check => [ 'perm', '/mapping/notification/targets/{name}', ['Mapping.Modify']],
},
parameters => {
additionalProperties => 0,
@@ -729,7 +728,7 @@ __PACKAGE__->register_method ({
method => 'DELETE',
description => 'Remove gotify endpoint',
permissions => {
- check => ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
+ check => [ 'perm', '/mapping/notification/targets/{name}', ['Mapping.Modify']],
},
parameters => {
additionalProperties => 0,
@@ -825,7 +824,7 @@ __PACKAGE__->register_method ({
protected => 1,
permissions => {
description => "Only lists entries where you have 'Mapping.Modify', 'Mapping.Use' or"
- . " 'Mapping.Audit' permissions on '/mapping/notification/<name>'.",
+ . " 'Mapping.Audit' permissions on '/mapping/notification/matchers/<name>'.",
user => 'all',
},
parameters => {
@@ -849,7 +848,7 @@ __PACKAGE__->register_method ({
};
raise_api_error($@) if $@;
- return filter_entities_by_privs($rpcenv, $entities);
+ return filter_entities_by_privs($rpcenv, "matchers", $entities);
}
});
@@ -861,8 +860,8 @@ __PACKAGE__->register_method ({
protected => 1,
permissions => {
check => ['or',
- ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
- ['perm', '/mapping/notification/{name}', ['Mapping.Audit']],
+ ['perm', '/mapping/notification/matchers/{name}', ['Mapping.Modify']],
+ ['perm', '/mapping/notification/matchers/{name}', ['Mapping.Audit']],
],
},
parameters => {
@@ -906,7 +905,7 @@ __PACKAGE__->register_method ({
description => 'Create a new matcher',
protected => 1,
permissions => {
- check => ['perm', '/mapping/notification', ['Mapping.Modify']],
+ check => ['perm', '/mapping/notification/matchers', ['Mapping.Modify']],
},
parameters => {
additionalProperties => 0,
@@ -956,7 +955,7 @@ __PACKAGE__->register_method ({
method => 'PUT',
description => 'Update existing matcher',
permissions => {
- check => ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
+ check => [ 'perm', '/mapping/notification/matchers/{name}', ['Mapping.Modify']],
},
parameters => {
additionalProperties => 0,
@@ -1022,7 +1021,7 @@ __PACKAGE__->register_method ({
method => 'DELETE',
description => 'Remove matcher',
permissions => {
- check => ['perm', '/mapping/notification/{name}', ['Mapping.Modify']],
+ check => ['perm', '/mapping/notification/matchers/{name}', ['Mapping.Modify']],
},
parameters => {
additionalProperties => 0,
--
2.39.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH access-control 1/2] acl: allow more nesting for /mapping acl paths
2023-11-07 12:46 [pve-devel] [PATCH access-control 1/2] acl: allow more nesting for /mapping acl paths Lukas Wagner
2023-11-07 12:46 ` [pve-devel] [PATCH manager 2/2] api: notifications: give targets and matchers their own ACL namespace Lukas Wagner
@ 2023-11-10 8:18 ` Thomas Lamprecht
2023-11-10 8:47 ` Lukas Wagner
1 sibling, 1 reply; 5+ messages in thread
From: Thomas Lamprecht @ 2023-11-10 8:18 UTC (permalink / raw)
To: Proxmox VE development discussion, Lukas Wagner
Am 07/11/2023 um 13:46 schrieb Lukas Wagner:
> This will be needed for ACL paths for the notification system,
> which will get separate namespaces for targets and matchers:
>
> /mapping/notification/targets/<name>
> as well as
> /mapping/notification/matchers/<name>
Not that it matters much to this supporting patch, but above should all
use the singular, or? I.e., like "notification" also use "target" and
"matcher".
And it also feels a tad to fine-grained for me, but can be OK, maybe
someone else got an opinion on that (@Fabian?)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH access-control 1/2] acl: allow more nesting for /mapping acl paths
2023-11-10 8:18 ` [pve-devel] [PATCH access-control 1/2] acl: allow more nesting for /mapping acl paths Thomas Lamprecht
@ 2023-11-10 8:47 ` Lukas Wagner
2023-11-13 15:41 ` Thomas Lamprecht
0 siblings, 1 reply; 5+ messages in thread
From: Lukas Wagner @ 2023-11-10 8:47 UTC (permalink / raw)
To: Thomas Lamprecht, Proxmox VE development discussion
On 11/10/23 09:18, Thomas Lamprecht wrote:
> Am 07/11/2023 um 13:46 schrieb Lukas Wagner:
>> This will be needed for ACL paths for the notification system,
>> which will get separate namespaces for targets and matchers:
>>
>> /mapping/notification/targets/<name>
>> as well as
>> /mapping/notification/matchers/<name>
>
> Not that it matters much to this supporting patch, but above should all
> use the singular, or? I.e., like "notification" also use "target" and
> "matcher".
>
Yeah, I also was kind of unsure about that, but in the end I used the
plural form because that's what I use for the API routes.
e.g.
/cluster/notifications/targets
/cluster/notifications/matchers
However, now I see another discrepancy I missed before, the API route
also uses 'notifications' in its plural form.
So maybe it would make sense to have the ACL tree nodes match that
exactlty? E.g.
/mapping/notifications/targets
I don't have any strong preference for any form, I just think
that some consistency with the API would be nice - and changing
the API routes would be much more work ;)
And regarding the granularity: Yes, maybe that's a bit overkill now. The
per-target permissions were kind of important with the 'old' system
where we would select a target at the notification call site (e.g. a
backup job), but with the new 'pub-sub'-alike system it probably does
not matter that much any more. But I don't really have any strong
preference here as well.
--
- Lukas
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH access-control 1/2] acl: allow more nesting for /mapping acl paths
2023-11-10 8:47 ` Lukas Wagner
@ 2023-11-13 15:41 ` Thomas Lamprecht
0 siblings, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2023-11-13 15:41 UTC (permalink / raw)
To: Proxmox VE development discussion, Lukas Wagner
Am 10/11/2023 um 09:47 schrieb Lukas Wagner:
> I don't have any strong preference for any form, I just think
> that some consistency with the API would be nice - and changing
> the API routes would be much more work ;)
hehe OK, as said, it doesn't matters that much so I'm fine with whatever
you prefer here.
>
> And regarding the granularity: Yes, maybe that's a bit overkill now. The
> per-target permissions were kind of important with the 'old' system
> where we would select a target at the notification call site (e.g. a
> backup job), but with the new 'pub-sub'-alike system it probably does
> not matter that much any more. But I don't really have any strong
> preference here as well.
>
FWIW, we can extend the system with the next major release, but it's
almost impossible to shrink it again without causing a bigger fall out
(if it's used at all that is), so just from that starting out with a
smaller scope would be better. But here we would need to reduce the
scope quite a bit, i.e., having just /mappings/notifications left, as
otherwise there's no good way to (potentially) extent that in the future -
which (while better than root-only via configuring postfix now)
is definitively limited.
So yeah, whatever we do, this is something that can only be judged well
in retro-perspective through user feedback, just go with your gut-feeling
I guess.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-11-13 15:42 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-07 12:46 [pve-devel] [PATCH access-control 1/2] acl: allow more nesting for /mapping acl paths Lukas Wagner
2023-11-07 12:46 ` [pve-devel] [PATCH manager 2/2] api: notifications: give targets and matchers their own ACL namespace Lukas Wagner
2023-11-10 8:18 ` [pve-devel] [PATCH access-control 1/2] acl: allow more nesting for /mapping acl paths Thomas Lamprecht
2023-11-10 8:47 ` Lukas Wagner
2023-11-13 15:41 ` Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox