public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH manager/qemu-server 0/3] Cloudinit priv adaptations
@ 2023-05-03  7:52 Fabian Grünbichler
  2023-05-03  7:52 ` [pve-devel] [PATCH manager 1/2] ui: cloudinit: match backend privilege checks Fabian Grünbichler
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2023-05-03  7:52 UTC (permalink / raw)
  To: pve-devel

these patches adapt the Cloudinit privileges in the backend and GUI so
that just giving out "VM.Config.Cloudinit" (and, if forceful
regeneration outside of guest starts is desired, "VM.Config.CDROM") is
enough to allow an unprivileged user to manage cloudinit for a given
guest.

pve-managar

Fabian Grünbichler (2):
  ui: cloudinit: match backend privilege checks
  ui: cloudinit: also allow ipconfig with VM.Config.Cloudinit

 www/manager6/qemu/CloudInit.js | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

qemu-server

Fabian Grünbichler (1):
  update_vm: allow setting ipconfigX with VM.Config.Cloudinit

 PVE/API2/Qemu.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

-- 
2.30.2





^ permalink raw reply	[flat|nested] 5+ messages in thread
* [pve-devel] [PATCH manager 1/2] ui: cloudinit: match backend privilege checks
  2023-05-03  7:52 [pve-devel] [PATCH manager/qemu-server 0/3] Cloudinit priv adaptations Fabian Grünbichler
@ 2023-05-03  7:52 ` Fabian Grünbichler
  2023-05-03  7:52 ` [pve-devel] [RFC manager 2/2] ui: cloudinit: also allow ipconfig with VM.Config.Cloudinit Fabian Grünbichler
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2023-05-03  7:52 UTC (permalink / raw)
  To: pve-devel

the cloudinit options except for ipconfig are all modifiable with just
"VM.Config.Cloudinit".

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 www/manager6/qemu/CloudInit.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/www/manager6/qemu/CloudInit.js b/www/manager6/qemu/CloudInit.js
index 77ff93d4..3a1323d1 100644
--- a/www/manager6/qemu/CloudInit.js
+++ b/www/manager6/qemu/CloudInit.js
@@ -22,8 +22,8 @@ Ext.define('PVE.qemu.CloudInit', {
 	    enableFn: function(record) {
 		let view = this.up('grid');
 		var caps = Ext.state.Manager.get('GuiCap');
-		if (view.rows[record.data.key].never_delete ||
-		    !caps.vms['VM.Config.Network']) {
+		let caps_ci = caps.vms['VM.Config.Network'] || caps.vms['VM.Config.Cloudinit'];
+		if (view.rows[record.data.key].never_delete || !caps_ci) {
 		    return false;
 		}
 
@@ -242,14 +242,14 @@ Ext.define('PVE.qemu.CloudInit', {
 	    searchdomain: {
 		header: gettext('DNS domain'),
 		iconCls: 'fa fa-globe',
-		editor: caps.vms['VM.Config.Network'] ? 'PVE.lxc.DNSEdit' : undefined,
+		editor: caps_ci ? 'PVE.lxc.DNSEdit' : undefined,
 		never_delete: true,
 		defaultValue: gettext('use host settings'),
 	    },
 	    nameserver: {
 		header: gettext('DNS servers'),
 		iconCls: 'fa fa-globe',
-		editor: caps.vms['VM.Config.Network'] ? 'PVE.lxc.DNSEdit' : undefined,
+		editor: caps_ci ? 'PVE.lxc.DNSEdit' : undefined,
 		never_delete: true,
 		defaultValue: gettext('use host settings'),
 	    },
-- 
2.30.2





^ permalink raw reply	[flat|nested] 5+ messages in thread
* [pve-devel] [RFC manager 2/2] ui: cloudinit: also allow ipconfig with VM.Config.Cloudinit
  2023-05-03  7:52 [pve-devel] [PATCH manager/qemu-server 0/3] Cloudinit priv adaptations Fabian Grünbichler
  2023-05-03  7:52 ` [pve-devel] [PATCH manager 1/2] ui: cloudinit: match backend privilege checks Fabian Grünbichler
@ 2023-05-03  7:52 ` Fabian Grünbichler
  2023-05-03  7:52 ` [pve-devel] [RFC qemu-server 1/1] allow setting ipconfigX " Fabian Grünbichler
  2023-06-07 16:24 ` [pve-devel] applied: [PATCH manager/qemu-server 0/3] Cloudinit priv adaptations Thomas Lamprecht
  3 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2023-05-03  7:52 UTC (permalink / raw)
  To: pve-devel

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

Notes:
    only if the qemu-server patch gets applied, and then it can be folded into the
    previous commit

 www/manager6/qemu/CloudInit.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/www/manager6/qemu/CloudInit.js b/www/manager6/qemu/CloudInit.js
index 3a1323d1..bb0a7a45 100644
--- a/www/manager6/qemu/CloudInit.js
+++ b/www/manager6/qemu/CloudInit.js
@@ -303,7 +303,7 @@ Ext.define('PVE.qemu.CloudInit', {
 	    me.rows['net' + i.toString()] = {
 		multiKey: ['ipconfig' + i.toString(), 'net' + i.toString()],
 		header: gettext('IP Config') + ' (net' + i.toString() +')',
-		editor: caps.vms['VM.Config.Network'] ? 'PVE.qemu.IPConfigEdit' : undefined,
+		editor: caps_ci ? 'PVE.qemu.IPConfigEdit' : undefined,
 		iconCls: 'fa fa-exchange',
 		renderer: ipconfig_renderer,
 	    };
-- 
2.30.2





^ permalink raw reply	[flat|nested] 5+ messages in thread
* [pve-devel] [RFC qemu-server 1/1] allow setting ipconfigX with VM.Config.Cloudinit
  2023-05-03  7:52 [pve-devel] [PATCH manager/qemu-server 0/3] Cloudinit priv adaptations Fabian Grünbichler
  2023-05-03  7:52 ` [pve-devel] [PATCH manager 1/2] ui: cloudinit: match backend privilege checks Fabian Grünbichler
  2023-05-03  7:52 ` [pve-devel] [RFC manager 2/2] ui: cloudinit: also allow ipconfig with VM.Config.Cloudinit Fabian Grünbichler
@ 2023-05-03  7:52 ` Fabian Grünbichler
  2023-06-07 16:24 ` [pve-devel] applied: [PATCH manager/qemu-server 0/3] Cloudinit priv adaptations Thomas Lamprecht
  3 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2023-05-03  7:52 UTC (permalink / raw)
  To: pve-devel

these config keys only affect the cloudinit drive contents (and state of the
guest inside the VM), they are not used anywhere on the hypervisor side, so
they should not require VM.Config.Network (which allows a lot more, such as
changing vNIC VLAN tags or the bridges they are connected to).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
https://forum.proxmox.com/threads/role-vm-config-networking-prevent-cloud-init-networking.126719
and https://bugzilla.proxmox.com/show_bug.cgi?id=2741 for some prior
discussions..

 PVE/API2/Qemu.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 587bb222..0999a9ef 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -631,9 +631,9 @@ my $check_vm_modify_config_perm = sub {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.PowerMgmt']);
 	} elsif ($diskoptions->{$opt}) {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
-	} elsif ($opt =~ m/^(?:net|ipconfig)\d+$/) {
+	} elsif ($opt =~ m/^net\d+$/) {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
-	} elsif ($cloudinitoptions->{$opt}) {
+	} elsif ($cloudinitoptions->{$opt} || $opt =~ m/^ipconfig\d+$/) {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Cloudinit', 'VM.Config.Network'], 1);
 	} elsif ($opt eq 'vmstate') {
 	    # the user needs Disk and PowerMgmt privileges to change the vmstate
-- 
2.30.2





^ permalink raw reply	[flat|nested] 5+ messages in thread
* [pve-devel] applied: [PATCH manager/qemu-server 0/3] Cloudinit priv adaptations
  2023-05-03  7:52 [pve-devel] [PATCH manager/qemu-server 0/3] Cloudinit priv adaptations Fabian Grünbichler
                   ` (2 preceding siblings ...)
  2023-05-03  7:52 ` [pve-devel] [RFC qemu-server 1/1] allow setting ipconfigX " Fabian Grünbichler
@ 2023-06-07 16:24 ` Thomas Lamprecht
  3 siblings, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2023-06-07 16:24 UTC (permalink / raw)
  To: Proxmox VE development discussion, Fabian Grünbichler

Am 03/05/2023 um 09:52 schrieb Fabian Grünbichler:
> these patches adapt the Cloudinit privileges in the backend and GUI so
> that just giving out "VM.Config.Cloudinit" (and, if forceful
> regeneration outside of guest starts is desired, "VM.Config.CDROM") is
> enough to allow an unprivileged user to manage cloudinit for a given
> guest.
> 
> pve-managar
> 
> Fabian Grünbichler (2):
>   ui: cloudinit: match backend privilege checks
>   ui: cloudinit: also allow ipconfig with VM.Config.Cloudinit
> 
>  www/manager6/qemu/CloudInit.js | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> qemu-server
> 
> Fabian Grünbichler (1):
>   update_vm: allow setting ipconfigX with VM.Config.Cloudinit
> 
>  PVE/API2/Qemu.pm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 


applied series, with manager RFC 2/2 squashed into 1/2, thanks!




^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-06-07 16:25 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-03  7:52 [pve-devel] [PATCH manager/qemu-server 0/3] Cloudinit priv adaptations Fabian Grünbichler
2023-05-03  7:52 ` [pve-devel] [PATCH manager 1/2] ui: cloudinit: match backend privilege checks Fabian Grünbichler
2023-05-03  7:52 ` [pve-devel] [RFC manager 2/2] ui: cloudinit: also allow ipconfig with VM.Config.Cloudinit Fabian Grünbichler
2023-05-03  7:52 ` [pve-devel] [RFC qemu-server 1/1] allow setting ipconfigX " Fabian Grünbichler
2023-06-07 16:24 ` [pve-devel] applied: [PATCH manager/qemu-server 0/3] Cloudinit priv adaptations Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal