[pve-devel] [PATCH manager] add permissions to allow non root ceph configuration
Dietmar Maurer
dietmar at proxmox.com
Mon Feb 8 14:24:09 CET 2016
What about
check => ['perm', '/', [ 'Sys.Modify' ]],
?
> On February 2, 2016 at 10:48 AM Wolfgang Bumiller <w.bumiller at proxmox.com>
> wrote:
>
>
> The *.Audit parts are definitely fine.
>
> Note that while Sys.Console shows the Console tab, the console api call
> itself also has a hardcoded check for realm == 'pam' and spawns a login
> prompt for non-root users, so Sys.Console alone might not be equivalent
> after all.
> So there's still the question whether we define Sys.Console to be enough
> or want one or more new ceph specific permission types? Note that
> 'createosd' for instance takes a block device name as parameter and is
> therefore potentially dangerous.
> In any case we need to carefully audit all the run_command calls in the
> ceph API calls to make sure no arbitrary shell commands can be leaked
> into it via user-input.
>
> On Mon, Feb 01, 2016 at 12:49:47PM +0100, Thomas Lamprecht wrote:
> > Do not only allow root at pam to admin ceph server as some user do not
> > want to allow root logins and users with the Sys.Console permission
> > can open a root host shell and thus indirectly admin ceph, thus
> > make it sane for them.
> >
> > We use basically the following permissions:
> > Sys.Console:
> > for any delete, add, modify action (POST, PUT, DELETE)
> > Sys.Audit and Datastore.Audit:
> > for any status/information view action (GET)
> > Sys.Log:
> > for viewing the Ceph log (was already implemented)
> >
> > Also show users with any of those capabilities the ceph tab in the
> > web GUI.
> >
> > Addresses bug#818
> >
> > Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
> > ---
> > PVE/API2/Ceph.pm | 57
> > ++++++++++++++++++++++++++++++++++++++++++++++
> > www/manager/node/Config.js | 4 ++++
> > 2 files changed, 61 insertions(+)
> >
> > diff --git a/PVE/API2/Ceph.pm b/PVE/API2/Ceph.pm
> > index e831989..6e603e1 100644
> > --- a/PVE/API2/Ceph.pm
> > +++ b/PVE/API2/Ceph.pm
> > @@ -61,6 +61,9 @@ __PACKAGE__->register_method ({
> > description => "Get Ceph osd list/tree.",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -157,6 +160,9 @@ __PACKAGE__->register_method ({
> > description => "Create OSD",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Console' ]],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -257,6 +263,9 @@ __PACKAGE__->register_method ({
> > description => "Destroy OSD",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Console' ]],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -378,6 +387,9 @@ __PACKAGE__->register_method ({
> > description => "ceph osd in",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Console' ]],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -414,6 +426,9 @@ __PACKAGE__->register_method ({
> > description => "ceph osd out",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Console' ]],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -486,6 +501,9 @@ __PACKAGE__->register_method ({
> > method => 'GET',
> > description => "Directory index.",
> > permissions => { user => 'all' },
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -527,6 +545,9 @@ __PACKAGE__->register_method ({
> > description => "List local disks.",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -588,6 +609,9 @@ __PACKAGE__->register_method ({
> > name => 'config',
> > path => 'config',
> > method => 'GET',
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > + },
> > description => "Get Ceph configuration.",
> > parameters => {
> > additionalProperties => 0,
> > @@ -613,6 +637,9 @@ __PACKAGE__->register_method ({
> > description => "Get Ceph monitor list.",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -679,6 +706,9 @@ __PACKAGE__->register_method ({
> > description => "Create initial ceph default configuration and setup
> > symlinks.",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Console' ]],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -788,6 +818,9 @@ __PACKAGE__->register_method ({
> > description => "Create Ceph Monitor",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Console' ]],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -915,6 +948,9 @@ __PACKAGE__->register_method ({
> > description => "Destroy Ceph monitor.",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Console' ]],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -980,6 +1016,9 @@ __PACKAGE__->register_method ({
> > description => "Stop ceph services.",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Console' ]],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -1027,6 +1066,9 @@ __PACKAGE__->register_method ({
> > description => "Start ceph services.",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Console' ]],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -1074,6 +1116,9 @@ __PACKAGE__->register_method ({
> > description => "Get ceph status.",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -1097,6 +1142,9 @@ __PACKAGE__->register_method ({
> > description => "List all pools.",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -1159,6 +1207,9 @@ __PACKAGE__->register_method ({
> > description => "Create POOL",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Console' ]],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -1263,6 +1314,9 @@ __PACKAGE__->register_method ({
> > description => "Destroy pool",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Console' ]],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > @@ -1300,6 +1354,9 @@ __PACKAGE__->register_method ({
> > description => "Get OSD crush map",
> > proxyto => 'node',
> > protected => 1,
> > + permissions => {
> > + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > + },
> > parameters => {
> > additionalProperties => 0,
> > properties => {
> > diff --git a/www/manager/node/Config.js b/www/manager/node/Config.js
> > index e6c7ae1..82ae0a0 100644
> > --- a/www/manager/node/Config.js
> > +++ b/www/manager/node/Config.js
> > @@ -197,6 +197,10 @@ Ext.define('PVE.node.Config', {
> > nodename: nodename
> > }
> > ]);
> > + }
> > +
> > + if (caps.nodes['Sys.Console'] || caps.nodes['Sys.Audit'] ||
> > + caps.nodes['Sys.Log']) {
> > me.items.push([{
> > title: 'Ceph',
> > itemId: 'ceph',
> > --
> > 2.1.4
> >
> >
> > _______________________________________________
> > pve-devel mailing list
> > pve-devel at pve.proxmox.com
> > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> >
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list