[pve-devel] [PATCH manager] add permissions to allow non root ceph configuration

Dietmar Maurer dietmar at proxmox.com
Mon Feb 8 14:24:09 CET 2016


What about  

check => ['perm', '/', [ 'Sys.Modify' ]],

?

> On February 2, 2016 at 10:48 AM Wolfgang Bumiller <w.bumiller at proxmox.com>
> wrote:
> 
> 
> The *.Audit parts are definitely fine.
> 
> Note that while Sys.Console shows the Console tab, the console api call
> itself also has a hardcoded check for realm == 'pam' and spawns a login
> prompt for non-root users, so Sys.Console alone might not be equivalent
> after all.
> So there's still the question whether we define Sys.Console to be enough
> or want one or more new ceph specific permission types? Note that
> 'createosd' for instance takes a block device name as parameter and is
> therefore potentially dangerous.
> In any case we need to carefully audit all the run_command calls in the
> ceph API calls to make sure no arbitrary shell commands can be leaked
> into it via user-input.
> 
> On Mon, Feb 01, 2016 at 12:49:47PM +0100, Thomas Lamprecht wrote:
> > Do not only allow root at pam to admin ceph server as some user do not
> > want to allow root logins and users with the Sys.Console permission
> > can open a root host shell and thus indirectly admin ceph, thus
> > make it sane for them.
> > 
> > We use basically the following permissions:
> >  Sys.Console:
> >     for any delete, add, modify action (POST, PUT, DELETE)
> >  Sys.Audit and Datastore.Audit:
> >     for any status/information view action (GET)
> >  Sys.Log:
> >     for viewing the Ceph log (was already implemented)
> > 
> > Also show users with any of those capabilities the ceph tab in the
> > web GUI.
> > 
> > Addresses bug#818
> > 
> > Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
> > ---
> >  PVE/API2/Ceph.pm           | 57
> > ++++++++++++++++++++++++++++++++++++++++++++++
> >  www/manager/node/Config.js |  4 ++++
> >  2 files changed, 61 insertions(+)
> > 
> > diff --git a/PVE/API2/Ceph.pm b/PVE/API2/Ceph.pm
> > index e831989..6e603e1 100644
> > --- a/PVE/API2/Ceph.pm
> > +++ b/PVE/API2/Ceph.pm
> > @@ -61,6 +61,9 @@ __PACKAGE__->register_method ({
> >      description => "Get Ceph osd list/tree.",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -157,6 +160,9 @@ __PACKAGE__->register_method ({
> >      description => "Create OSD",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Console' ]],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -257,6 +263,9 @@ __PACKAGE__->register_method ({
> >      description => "Destroy OSD",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Console' ]],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -378,6 +387,9 @@ __PACKAGE__->register_method ({
> >      description => "ceph osd in",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Console' ]],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -414,6 +426,9 @@ __PACKAGE__->register_method ({
> >      description => "ceph osd out",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Console' ]],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -486,6 +501,9 @@ __PACKAGE__->register_method ({
> >      method => 'GET',
> >      description => "Directory index.",
> >      permissions => { user => 'all' },
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -527,6 +545,9 @@ __PACKAGE__->register_method ({
> >      description => "List local disks.",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -588,6 +609,9 @@ __PACKAGE__->register_method ({
> >      name => 'config',
> >      path => 'config',
> >      method => 'GET',
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > +    },
> >      description => "Get Ceph configuration.",
> >      parameters => {
> >      	additionalProperties => 0,
> > @@ -613,6 +637,9 @@ __PACKAGE__->register_method ({
> >      description => "Get Ceph monitor list.",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -679,6 +706,9 @@ __PACKAGE__->register_method ({
> >      description => "Create initial ceph default configuration and setup
> > symlinks.",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Console' ]],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -788,6 +818,9 @@ __PACKAGE__->register_method ({
> >      description => "Create Ceph Monitor",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Console' ]],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -915,6 +948,9 @@ __PACKAGE__->register_method ({
> >      description => "Destroy Ceph monitor.",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Console' ]],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -980,6 +1016,9 @@ __PACKAGE__->register_method ({
> >      description => "Stop ceph services.",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Console' ]],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -1027,6 +1066,9 @@ __PACKAGE__->register_method ({
> >      description => "Start ceph services.",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Console' ]],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -1074,6 +1116,9 @@ __PACKAGE__->register_method ({
> >      description => "Get ceph status.",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -1097,6 +1142,9 @@ __PACKAGE__->register_method ({
> >      description => "List all pools.",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -1159,6 +1207,9 @@ __PACKAGE__->register_method ({
> >      description => "Create POOL",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Console' ]],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -1263,6 +1314,9 @@ __PACKAGE__->register_method ({
> >      description => "Destroy pool",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Console' ]],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > @@ -1300,6 +1354,9 @@ __PACKAGE__->register_method ({
> >      description => "Get OSD crush map",
> >      proxyto => 'node',
> >      protected => 1,
> > +    permissions => {
> > +	check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> > +    },
> >      parameters => {
> >      	additionalProperties => 0,
> >  	properties => {
> > diff --git a/www/manager/node/Config.js b/www/manager/node/Config.js
> > index e6c7ae1..82ae0a0 100644
> > --- a/www/manager/node/Config.js
> > +++ b/www/manager/node/Config.js
> > @@ -197,6 +197,10 @@ Ext.define('PVE.node.Config', {
> >  		    nodename: nodename
> >  		}
> >  	    ]);
> > +	}
> > +
> > +	if (caps.nodes['Sys.Console'] || caps.nodes['Sys.Audit'] ||
> > +	    caps.nodes['Sys.Log']) {
> >  	    me.items.push([{
> >  		title: 'Ceph',
> >  		itemId: 'ceph',
> > -- 
> > 2.1.4
> > 
> > 
> > _______________________________________________
> > pve-devel mailing list
> > pve-devel at pve.proxmox.com
> > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> > 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 




More information about the pve-devel mailing list