[pve-devel] [RFC v2 qemu-server] close #2741: add VM.Config.Cloudinit permission

[Mira Limbeck]

This allows setting ciuser, cipassword and all other cloudinit settings that
are not part of the network without VM.Config.Network permissions.
Keep VM.Config.Network still as fallback so custom roles that add
VM.Config.Network but not VM.Config.Cloudinit don't break.

Signed-off-by: Mira Limbeck <m.limbeck at proxmox.com>
---
v2:
 - fallback for 'VM.Config.Network'
 - addition to $vm_config_perm_list
 - removed unnecessary print statement

This requires the pve-access-control patch.

 PVE/API2/Qemu.pm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 3965c26..b33359d 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -358,8 +358,10 @@ my $check_vm_modify_config_perm = sub {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.PowerMgmt']);
 	} elsif ($diskoptions->{$opt}) {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
-	} elsif ($cloudinitoptions->{$opt} || ($opt =~ m/^(?:net|ipconfig)\d+$/)) {
+	} elsif ($opt =~ m/^(?:net|ipconfig)\d+$/) {
 	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
+	} elsif ($cloudinitoptions->{$opt}) {
+	    $rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Cloudinit', 'VM.Config.Network'], 1);
 	} elsif ($opt eq 'vmstate') {
 	    # the user needs Disk and PowerMgmt privileges to change the vmstate
 	    # also needs privileges on the storage, that will be checked later
@@ -1354,6 +1356,7 @@ my $vm_config_perm_list = [
 	    'VM.Config.Network',
 	    'VM.Config.HWType',
 	    'VM.Config.Options',
+	    'VM.Config.Cloudinit',
     ];
 
 __PACKAGE__->register_method({
-- 
2.20.1