* [pve-devel] [PATCH access-control 0/2] improve permission self-service
@ 2024-11-05 8:30 Fabian Grünbichler
2024-11-05 8:30 ` [pve-devel] [PATCH access-control 1/2] api: permissions: allow users to view their own permissions Fabian Grünbichler
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2024-11-05 8:30 UTC (permalink / raw)
To: pve-devel
noticed this while testing https://lore.proxmox.com/pve-devel/20241031134629.144893-1-d.kral@proxmox.com
the first patch fixes the already allowed "permission self-service" for
users as the web UI implements it (it always passes the $userid
parameter).
the second patch extends that self-service to allow users without
Sys.Audit on /access to evaluate their own tokens' ACLs/permissions,
which seems sensible to me ;)
Fabian Grünbichler (2):
api: permissions: allow users to view their own permissions
api: permissions: allow users to check their own tokens
src/PVE/API2/AccessControl.pm | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH access-control 1/2] api: permissions: allow users to view their own permissions
2024-11-05 8:30 [pve-devel] [PATCH access-control 0/2] improve permission self-service Fabian Grünbichler
@ 2024-11-05 8:30 ` Fabian Grünbichler
2024-11-05 8:30 ` [pve-devel] [PATCH access-control 2/2] api: permissions: allow users to check their own tokens Fabian Grünbichler
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2024-11-05 8:30 UTC (permalink / raw)
To: pve-devel
even when specifying an explicit userid matching their own.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
src/PVE/API2/AccessControl.pm | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index c55a7b3..157a5ee 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -486,14 +486,14 @@ __PACKAGE__->register_method({
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
+ my $authid = $rpcenv->get_user();
my $userid = $param->{userid};
- if (defined($userid)) {
+ $userid = $authid if !defined($userid);
+
+ if ($userid ne $authid) {
$rpcenv->check($rpcenv->get_user(), '/access', ['Sys.Audit']);
- } else {
- $userid = $rpcenv->get_user();
}
-
my $res;
if (my $path = $param->{path}) {
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH access-control 2/2] api: permissions: allow users to check their own tokens
2024-11-05 8:30 [pve-devel] [PATCH access-control 0/2] improve permission self-service Fabian Grünbichler
2024-11-05 8:30 ` [pve-devel] [PATCH access-control 1/2] api: permissions: allow users to view their own permissions Fabian Grünbichler
@ 2024-11-05 8:30 ` Fabian Grünbichler
2024-11-06 14:54 ` [pve-devel] [PATCH access-control 0/2] improve permission self-service Daniel Kral
2024-11-10 19:08 ` [pve-devel] applied-series: " Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2024-11-05 8:30 UTC (permalink / raw)
To: pve-devel
even if they lack Sys.Audit on /access - since tokens are self-service,
checking whether the ACLs work as expected should also be doable for every
user.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
src/PVE/API2/AccessControl.pm | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index 157a5ee..7fcf6fb 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -460,7 +460,11 @@ __PACKAGE__->register_method({
method => 'GET',
description => 'Retrieve effective permissions of given user/token.',
permissions => {
- description => "Each user/token is allowed to dump their own permissions. A user can dump the permissions of another user if they have 'Sys.Audit' permission on /access.",
+ description => "Each user/token is allowed to dump their own ".
+ "permissions (or that of owned tokens). A user ".
+ "can dump the permissions of another user or ".
+ "their tokens if they have 'Sys.Audit' permission ".
+ "on /access.",
user => 'all',
},
parameters => {
@@ -491,7 +495,11 @@ __PACKAGE__->register_method({
my $userid = $param->{userid};
$userid = $authid if !defined($userid);
- if ($userid ne $authid) {
+ my ($user, $token) = PVE::AccessControl::split_tokenid($userid, 1);
+ my $check_self = $userid eq $authid;
+ my $check_owned_token = defined($user) && $user eq $authid;
+
+ if (!($check_self || $check_owned_token)) {
$rpcenv->check($rpcenv->get_user(), '/access', ['Sys.Audit']);
}
my $res;
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pve-devel] [PATCH access-control 0/2] improve permission self-service
2024-11-05 8:30 [pve-devel] [PATCH access-control 0/2] improve permission self-service Fabian Grünbichler
2024-11-05 8:30 ` [pve-devel] [PATCH access-control 1/2] api: permissions: allow users to view their own permissions Fabian Grünbichler
2024-11-05 8:30 ` [pve-devel] [PATCH access-control 2/2] api: permissions: allow users to check their own tokens Fabian Grünbichler
@ 2024-11-06 14:54 ` Daniel Kral
2024-11-10 19:08 ` [pve-devel] applied-series: " Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Daniel Kral @ 2024-11-06 14:54 UTC (permalink / raw)
To: pve-devel
On 11/5/24 09:30, Fabian Grünbichler wrote:
> noticed this while testing https://lore.proxmox.com/pve-devel/20241031134629.144893-1-d.kral@proxmox.com
>
> the first patch fixes the already allowed "permission self-service" for
> users as the web UI implements it (it always passes the $userid
> parameter).
>
> the second patch extends that self-service to allow users without
> Sys.Audit on /access to evaluate their own tokens' ACLs/permissions,
> which seems sensible to me ;)
>
> Fabian Grünbichler (2):
> api: permissions: allow users to view their own permissions
> api: permissions: allow users to check their own tokens
>
> src/PVE/API2/AccessControl.pm | 18 +++++++++++++-----
> 1 file changed, 13 insertions(+), 5 deletions(-)
>
I have written some test cases for this and sent the patch to the
mailing list [0].
[0]
https://lore.proxmox.com/pve-devel/20241106144813.189056-1-d.kral@proxmox.com/
With the test cases included there, consider the whole series as:
Tested-by: Daniel Kral <d.kral@proxmox.com>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] applied-series: [PATCH access-control 0/2] improve permission self-service
2024-11-05 8:30 [pve-devel] [PATCH access-control 0/2] improve permission self-service Fabian Grünbichler
` (2 preceding siblings ...)
2024-11-06 14:54 ` [pve-devel] [PATCH access-control 0/2] improve permission self-service Daniel Kral
@ 2024-11-10 19:08 ` Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2024-11-10 19:08 UTC (permalink / raw)
To: Proxmox VE development discussion, Fabian Grünbichler
Am 05.11.24 um 09:30 schrieb Fabian Grünbichler:
> noticed this while testing https://lore.proxmox.com/pve-devel/20241031134629.144893-1-d.kral@proxmox.com
>
> the first patch fixes the already allowed "permission self-service" for
> users as the web UI implements it (it always passes the $userid
> parameter).
>
> the second patch extends that self-service to allow users without
> Sys.Audit on /access to evaluate their own tokens' ACLs/permissions,
> which seems sensible to me ;)
>
> Fabian Grünbichler (2):
> api: permissions: allow users to view their own permissions
> api: permissions: allow users to check their own tokens
>
> src/PVE/API2/AccessControl.pm | 18 +++++++++++++-----
> 1 file changed, 13 insertions(+), 5 deletions(-)
>
applied with Daniel's T-b, thanks!
ps. I made a small code-style follow-up for breaking up the schema description
over multiple lines so that it follows our style guide [0], there were some other
bad instances in that file anyway, so I did it as separate patch.
[0]: https://pve.proxmox.com/wiki/Perl_Style_Guide#Wrapping_Strings
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-11-10 19:08 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-11-05 8:30 [pve-devel] [PATCH access-control 0/2] improve permission self-service Fabian Grünbichler
2024-11-05 8:30 ` [pve-devel] [PATCH access-control 1/2] api: permissions: allow users to view their own permissions Fabian Grünbichler
2024-11-05 8:30 ` [pve-devel] [PATCH access-control 2/2] api: permissions: allow users to check their own tokens Fabian Grünbichler
2024-11-06 14:54 ` [pve-devel] [PATCH access-control 0/2] improve permission self-service Daniel Kral
2024-11-10 19:08 ` [pve-devel] applied-series: " Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox