From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id B72441FF15C
	for <inbox@lore.proxmox.com>; Wed,  5 Feb 2025 11:01:31 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 84B536FCB;
	Wed,  5 Feb 2025 11:01:29 +0100 (CET)
Message-ID: <c318b880-3b24-4759-b736-e9c05e4e0be3@proxmox.com>
Date: Wed, 5 Feb 2025 11:00:55 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Daniel Kral <d.kral@proxmox.com>,
 Proxmox VE development discussion <pve-devel@lists.proxmox.com>
References: <20241204151123.447107-1-d.kral@proxmox.com>
 <64c46c18-1e31-45d7-88ba-12010bea2539@proxmox.com>
 <5448e8a5-db8c-4745-aab8-3d613c5d95f7@proxmox.com>
Content-Language: en-US
From: Fiona Ebner <f.ebner@proxmox.com>
In-Reply-To: <5448e8a5-db8c-4745-aab8-3d613c5d95f7@proxmox.com>
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.197 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 POISEN_SPAM_PILL          0.1 Meta: its spam
 POISEN_SPAM_PILL_1        0.1 random spam to be learned in bayes
 POISEN_SPAM_PILL_3        0.1 random spam to be learned in bayes
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [proxmox.com]
Subject: Re: [pve-devel] [PATCH access-control] api: role: remove role
 references from acl rules on role deletion
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

Am 05.02.25 um 10:21 schrieb Daniel Kral:
> On 2/3/25 12:49, Fiona Ebner wrote:
>> Am 04.12.24 um 16:11 schrieb Daniel Kral:
>>> Let the API endpoint `DELETE /access/roles/{roleid}` or command
>>> `pveum role delete <roleid>` remove any ACL rules in the user
>>> configuration, which reference the removed role.
>>>
>>> Before this change, the removal of a role has caused the role to remain
>>> in existing ACL rules, which referenced the removed role. Therefore, on
>>> each parse of the user configuration, a warning was be displayed:
>>>
>>> user config - ignore invalid acl role '<role>'
>>>
>>
>> Might be good to note that the next modification of the configuration
>> would drop the unknown role (even if a role with the same name is
>> re-added right away).
> 
> Thanks, will mention that in the v2!
> 
> Just for clarification, what could be an/the use case of deleting and
> re-adding the role? It could be certainly beneficial to add a small
> reminder in the WebUI, that removing a user/group/role will also delete
> its dependents.

Could happen by accident, or could just be the want to use a new role
with the same name for something (slightly) different. But I mentioned
this, because one could suspect that re-adding right away could be a
scenario where the left-overs from the deleted role are not dropped. And
a new role starting out with ACLs from a previous one would be
surprising and have security-critical implications. It's not the case
however, the left-overs are dropped even then.

Still, if you ever suspect you came across something with security
implications, best to contact a member of the security team, or you can
also just use the standard channels:
https://pve.proxmox.com/wiki/Security_Reporting )

> 
> On 2/3/25 12:49, Fiona Ebner wrote:
>> What would be really nice is to have some tests for various
>> add/modify/delete sequences touching user.cfg :) I don't think current
>> tests cover that yet.
> 
> I'll gladly provide these with a v2 to document the changes and also
> just enforce this behavior in the future :).

Great!


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel