[pve-devel] [PATCH pve-ha-manager] HA API: Fix permissions

Thomas Lamprecht t.lamprecht at proxmox.com
Fri Oct 30 10:55:44 CET 2015


Integrate permission in the HA API so that not only root may do
changes.
-) create/edit/update actions need the 'Sys.Console' privileges on
   the root (/) path
-) read actions need the 'Sys.Audit' privilege on the root (/) path

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
 src/PVE/API2/HA/Groups.pm    | 17 +++++++++++++++--
 src/PVE/API2/HA/Resources.pm | 23 +++++++++++++++++++++--
 src/PVE/API2/HA/Status.pm    |  6 ++++++
 3 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/src/PVE/API2/HA/Groups.pm b/src/PVE/API2/HA/Groups.pm
index 243eca8..90fc436 100644
--- a/src/PVE/API2/HA/Groups.pm
+++ b/src/PVE/API2/HA/Groups.pm
@@ -18,8 +18,6 @@ use PVE::RESTHandler;
 
 use base qw(PVE::RESTHandler);
 
-# fixme: fix permissions
-
 my $api_copy_config = sub {
     my ($cfg, $group) = @_;
 
@@ -40,6 +38,9 @@ __PACKAGE__->register_method ({
     path => '',
     method => 'GET',
     description => "Get HA groups.",
+    permissions => {
+	check => ['perm', '/', [ 'Sys.Audit' ]],
+    },
     parameters => {
     	additionalProperties => 0,
 	properties => {},
@@ -73,6 +74,9 @@ __PACKAGE__->register_method ({
     path => '{group}',
     method => 'GET',
     description => "Read ha group configuration.",
+    permissions => {
+	check => ['perm', '/', [ 'Sys.Audit' ]],
+    },
     parameters => {
     	additionalProperties => 0,
 	properties => {
@@ -95,6 +99,9 @@ __PACKAGE__->register_method ({
     path => '',
     method => 'POST',
     description => "Create a new HA group.",
+    permissions => {
+	check => ['perm', '/', [ 'Sys.Console' ]],
+    },
     parameters => PVE::HA::Groups->createSchema(),
     returns => { type => 'null' },
     code => sub {
@@ -140,6 +147,9 @@ __PACKAGE__->register_method ({
     path => '{group}',
     method => 'PUT',
     description => "Update ha group configuration.",
+    permissions => {
+	check => ['perm', '/', [ 'Sys.Console' ]],
+    },
     parameters => PVE::HA::Groups->updateSchema(),
     returns => { type => 'null' },
     code => sub {
@@ -199,6 +209,9 @@ __PACKAGE__->register_method ({
     path => '{group}',
     method => 'DELETE',
     description => "Delete ha group configuration.",
+    permissions => {
+	check => ['perm', '/', [ 'Sys.Console' ]],
+    },
     parameters => {
     	additionalProperties => 0,
 	properties => {
diff --git a/src/PVE/API2/HA/Resources.pm b/src/PVE/API2/HA/Resources.pm
index fc34433..5fa970e 100644
--- a/src/PVE/API2/HA/Resources.pm
+++ b/src/PVE/API2/HA/Resources.pm
@@ -22,8 +22,6 @@ use base qw(PVE::RESTHandler);
 
 my $resource_type_enum = PVE::HA::Resources->lookup_types();
 
-# fixme: fix permissions
-
 my $api_copy_config = sub {
     my ($cfg, $sid) = @_;
 
@@ -41,6 +39,9 @@ __PACKAGE__->register_method ({
     path => '',
     method => 'GET',
     description => "List HA resources.",
+    permissions => {
+	check => ['perm', '/', [ 'Sys.Audit' ]],
+    },
     parameters => {
     	additionalProperties => 0,
 	properties => {
@@ -83,6 +84,9 @@ __PACKAGE__->register_method ({
     name => 'read',
     path => '{sid}',
     method => 'GET',
+    permissions => {
+	check => ['perm', '/', [ 'Sys.Audit' ]],
+    },
     description => "Read resource configuration.",
     parameters => {
     	additionalProperties => 0,
@@ -107,6 +111,9 @@ __PACKAGE__->register_method ({
     protected => 1,
     path => '',
     method => 'POST',
+    permissions => {
+	check => ['perm', '/', [ 'Sys.Console' ]],
+    },
     description => "Create a new HA resource.",
     parameters => PVE::HA::Resources->createSchema(),
     returns => { type => 'null' },
@@ -155,6 +162,9 @@ __PACKAGE__->register_method ({
     path => '{sid}',
     method => 'PUT',
     description => "Update resource configuration.",
+    permissions => {
+	check => ['perm', '/', [ 'Sys.Console' ]],
+    },
     parameters => PVE::HA::Resources->updateSchema(),
     returns => { type => 'null' },
     code => sub {
@@ -213,6 +223,9 @@ __PACKAGE__->register_method ({
     path => '{sid}',
     method => 'DELETE',
     description => "Delete resource configuration.",
+    permissions => {
+	check => ['perm', '/', [ 'Sys.Console' ]],
+    },
     parameters => {
     	additionalProperties => 0,
 	properties => {
@@ -248,6 +261,9 @@ __PACKAGE__->register_method ({
     path => '{sid}/migrate',
     method => 'POST',
     description => "Request resource migration (online) to another node.",
+    permissions => {
+	check => ['perm', '/', [ 'Sys.Console' ]],
+    },
     parameters => {
     	additionalProperties => 0,
 	properties => {
@@ -276,6 +292,9 @@ __PACKAGE__->register_method ({
     path => '{sid}/relocate',
     method => 'POST',
     description => "Request resource relocatzion to another node. This stops the service on the old node, and restarts it on the target node.",
+    permissions => {
+	check => ['perm', '/', [ 'Sys.Console' ]],
+    },
     parameters => {
     	additionalProperties => 0,
 	properties => {
diff --git a/src/PVE/API2/HA/Status.pm b/src/PVE/API2/HA/Status.pm
index 2a690d3..a7bdea8 100644
--- a/src/PVE/API2/HA/Status.pm
+++ b/src/PVE/API2/HA/Status.pm
@@ -64,6 +64,9 @@ __PACKAGE__->register_method ({
     path => 'current',
     method => 'GET',
     description => "Get HA manger status.",
+    permissions => {
+	check => ['perm', '/', [ 'Sys.Audit' ]],
+    },
     parameters => {
     	additionalProperties => 0,
 	properties => {},
@@ -126,6 +129,9 @@ __PACKAGE__->register_method ({
     path => 'manager_status',
     method => 'GET',
     description => "Get full HA manger status, including LRM status.",
+    permissions => {
+	check => ['perm', '/', [ 'Sys.Audit' ]],
+    },
     parameters => {
     	additionalProperties => 0,
 	properties => {},
-- 
2.1.4




More information about the pve-devel mailing list