[pve-devel] [PATCH access-control 1/1] fix #233: return cluster name on successful login

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Nov 13 12:06:53 CET 2018


If a cluster is configured then return the cluster name on successful
login - if the user has Sys.Audit privileges on the '/' path (same
as for returning cluster info, like the join info path uses)

This is more for the reason that some admins do not want to expose
this to lesser privileged (API) users. While yes, you can
theoretically launch a (DDOS resembling) attack which stresses the
corosync network if you know the cluster_name (it's still encrypted
but you can back-calculate the multicast group membership info) you
need to be able to send multicast traffic on the corosync LAN -
which can be seen as a pretty big privilege anyway.

But, for now reduce permissions - we can more easily loosen them than
tighten without causing issues anyway.

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
 PVE/API2/AccessControl.pm | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm
index 414da3a..93f384a 100644
--- a/PVE/API2/AccessControl.pm
+++ b/PVE/API2/AccessControl.pm
@@ -7,6 +7,7 @@ use PVE::Exception qw(raise raise_perm_exc);
 use PVE::SafeSyslog;
 use PVE::RPCEnvironment;
 use PVE::Cluster qw(cfs_read_file);
+use PVE::Corosync;
 use PVE::RESTHandler;
 use PVE::AccessControl;
 use PVE::JSONSchema qw(get_standard_option);
@@ -246,6 +247,7 @@ __PACKAGE__->register_method ({
 	    username => { type => 'string' },
 	    ticket => { type => 'string', optional => 1},
 	    CSRFPreventionToken => { type => 'string', optional => 1 },
+	    clustername => { type => 'string', optional => 1 },
 	}
     },
     code => sub {
@@ -277,6 +279,16 @@ __PACKAGE__->register_method ({
 
 	$res->{cap} = &$compute_api_permission($rpcenv, $username);
 
+	if (PVE::Corosync::check_conf_exists(1)) {
+	    if ($rpcenv->check($username, '/', ['Sys.Audit'], 1)) {
+		my $conf = cfs_read_file('corosync.conf');
+		my $totem = PVE::Corosync::totem_config($conf);
+		if ($totem->{cluster_name}) {
+		    $res->{clustername} = $totem->{cluster_name};
+		}
+	    }
+	}
+
 	PVE::Cluster::log_msg('info', 'root at pam', "successful auth for user '$username'");
 
 	return $res;
-- 
2.19.1





More information about the pve-devel mailing list