[pve-devel] [PATCH pve-ha-manager] HA API: Fix permissions
Thomas Lamprecht
t.lamprecht at proxmox.com
Fri Oct 30 10:55:44 CET 2015
Integrate permission in the HA API so that not only root may do
changes.
-) create/edit/update actions need the 'Sys.Console' privileges on
the root (/) path
-) read actions need the 'Sys.Audit' privilege on the root (/) path
Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
src/PVE/API2/HA/Groups.pm | 17 +++++++++++++++--
src/PVE/API2/HA/Resources.pm | 23 +++++++++++++++++++++--
src/PVE/API2/HA/Status.pm | 6 ++++++
3 files changed, 42 insertions(+), 4 deletions(-)
diff --git a/src/PVE/API2/HA/Groups.pm b/src/PVE/API2/HA/Groups.pm
index 243eca8..90fc436 100644
--- a/src/PVE/API2/HA/Groups.pm
+++ b/src/PVE/API2/HA/Groups.pm
@@ -18,8 +18,6 @@ use PVE::RESTHandler;
use base qw(PVE::RESTHandler);
-# fixme: fix permissions
-
my $api_copy_config = sub {
my ($cfg, $group) = @_;
@@ -40,6 +38,9 @@ __PACKAGE__->register_method ({
path => '',
method => 'GET',
description => "Get HA groups.",
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Audit' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {},
@@ -73,6 +74,9 @@ __PACKAGE__->register_method ({
path => '{group}',
method => 'GET',
description => "Read ha group configuration.",
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Audit' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -95,6 +99,9 @@ __PACKAGE__->register_method ({
path => '',
method => 'POST',
description => "Create a new HA group.",
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Console' ]],
+ },
parameters => PVE::HA::Groups->createSchema(),
returns => { type => 'null' },
code => sub {
@@ -140,6 +147,9 @@ __PACKAGE__->register_method ({
path => '{group}',
method => 'PUT',
description => "Update ha group configuration.",
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Console' ]],
+ },
parameters => PVE::HA::Groups->updateSchema(),
returns => { type => 'null' },
code => sub {
@@ -199,6 +209,9 @@ __PACKAGE__->register_method ({
path => '{group}',
method => 'DELETE',
description => "Delete ha group configuration.",
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Console' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
diff --git a/src/PVE/API2/HA/Resources.pm b/src/PVE/API2/HA/Resources.pm
index fc34433..5fa970e 100644
--- a/src/PVE/API2/HA/Resources.pm
+++ b/src/PVE/API2/HA/Resources.pm
@@ -22,8 +22,6 @@ use base qw(PVE::RESTHandler);
my $resource_type_enum = PVE::HA::Resources->lookup_types();
-# fixme: fix permissions
-
my $api_copy_config = sub {
my ($cfg, $sid) = @_;
@@ -41,6 +39,9 @@ __PACKAGE__->register_method ({
path => '',
method => 'GET',
description => "List HA resources.",
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Audit' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -83,6 +84,9 @@ __PACKAGE__->register_method ({
name => 'read',
path => '{sid}',
method => 'GET',
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Audit' ]],
+ },
description => "Read resource configuration.",
parameters => {
additionalProperties => 0,
@@ -107,6 +111,9 @@ __PACKAGE__->register_method ({
protected => 1,
path => '',
method => 'POST',
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Console' ]],
+ },
description => "Create a new HA resource.",
parameters => PVE::HA::Resources->createSchema(),
returns => { type => 'null' },
@@ -155,6 +162,9 @@ __PACKAGE__->register_method ({
path => '{sid}',
method => 'PUT',
description => "Update resource configuration.",
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Console' ]],
+ },
parameters => PVE::HA::Resources->updateSchema(),
returns => { type => 'null' },
code => sub {
@@ -213,6 +223,9 @@ __PACKAGE__->register_method ({
path => '{sid}',
method => 'DELETE',
description => "Delete resource configuration.",
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Console' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -248,6 +261,9 @@ __PACKAGE__->register_method ({
path => '{sid}/migrate',
method => 'POST',
description => "Request resource migration (online) to another node.",
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Console' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -276,6 +292,9 @@ __PACKAGE__->register_method ({
path => '{sid}/relocate',
method => 'POST',
description => "Request resource relocatzion to another node. This stops the service on the old node, and restarts it on the target node.",
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Console' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
diff --git a/src/PVE/API2/HA/Status.pm b/src/PVE/API2/HA/Status.pm
index 2a690d3..a7bdea8 100644
--- a/src/PVE/API2/HA/Status.pm
+++ b/src/PVE/API2/HA/Status.pm
@@ -64,6 +64,9 @@ __PACKAGE__->register_method ({
path => 'current',
method => 'GET',
description => "Get HA manger status.",
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Audit' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {},
@@ -126,6 +129,9 @@ __PACKAGE__->register_method ({
path => 'manager_status',
method => 'GET',
description => "Get full HA manger status, including LRM status.",
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Audit' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {},
--
2.1.4
More information about the pve-devel
mailing list