From: Dominik Csapak <d.csapak@proxmox.com>
To: Thomas Lamprecht <t.lamprecht@proxmox.com>,
Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [RFC PATCH access-control] loosen locking restriction for users without tfa configured
Date: Thu, 15 Sep 2022 14:40:42 +0200 [thread overview]
Message-ID: <5fb8bc75-3517-086f-5389-983e1d80e890@proxmox.com> (raw)
In-Reply-To: <28056eb0-7712-00a6-b342-b2bbb4fa2279@proxmox.com>
On 9/15/22 12:43, Thomas Lamprecht wrote:
> Am 14/09/2022 um 15:42 schrieb Dominik Csapak:
>> The downside is that we cannot authenticate users anymore without quorum
>> (since locking requires write access to pmxcfs), even for users without
>> tfa configured (and also for clusters without any tfa configured at all)
>
> question is more if we should disallow login on unquorate clusters for all
> but root@pam, as for all others you cannot be sure if they still got the
> permissions and for the pve realm the credentials are still correct, or
> if the non-existing TFA entry is still up-to-date (the quorate partition
> could have TFA configured for that user since cluster split).
fair point, but then we'd also have to deny api requests in general
for non root@pam users when the cluster is not quorate,
otherwise they can continue making requests with existing tickets
(aside creating a new one)
>
> root@pam is a hard-coded super admin and verified via PAM, which normally
> should be pmxcfs, and thus quorum, independent, at least if nobody was crazy
> enough to link /etc/shadow to a file in pmxcfs or wrote a PAM that works
> on pmxcfs info in other ways.
AFAICS a user can't do anything on a non quorate cluster that wouldn't be possible
over ssh for example ? since most operations already need the cluster to be quorate
(aside from things such as network configuration, which might be the exact reason
why the cluster is not quorate, so the admin/user wants to fix it)
so imho @pam could be allowed in general, but for the other realms it's
very much a design decision.
just to note: before accidentally breaking such logins by locking the tfa
config, we always let users login, regardless of cluster quorum state
next prev parent reply other threads:[~2022-09-15 12:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-14 13:42 Dominik Csapak
2022-09-15 7:01 ` Fabian Grünbichler
2022-09-15 10:43 ` Thomas Lamprecht
2022-09-15 12:40 ` Dominik Csapak [this message]
2022-09-15 12:53 ` Thomas Lamprecht
2022-09-15 13:12 ` Dominik Csapak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5fb8bc75-3517-086f-5389-983e1d80e890@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=t.lamprecht@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox