[pve-devel] [PATCH manager 1/1] fix #3402: add Pool.Audit permission

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Apr 30 13:27:54 CEST 2021 

On April 29, 2021 11:49 am, Lorenz Stechauner wrote:
> Signed-off-by: Lorenz Stechauner <l.stechauner at proxmox.com>
> ---
>  PVE/API2/Cluster.pm | 2 +-
>  PVE/API2/Pool.pm    | 6 +++---
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/PVE/API2/Cluster.pm b/PVE/API2/Cluster.pm
> index ab5b28a1..ace5b5b1 100644
> --- a/PVE/API2/Cluster.pm
> +++ b/PVE/API2/Cluster.pm
> @@ -332,7 +332,7 @@ __PACKAGE__->register_method({
>  	    for my $pool (sort keys %{$usercfg->{pools}}) {
>  		my $d = $usercfg->{pools}->{$pool};
>  
> -		next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
> +		next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
>  
>  		my $entry = {
>  		    id => "/pool/$pool",
> diff --git a/PVE/API2/Pool.pm b/PVE/API2/Pool.pm
> index 567c7e8d..6ef981fb 100644
> --- a/PVE/API2/Pool.pm
> +++ b/PVE/API2/Pool.pm
> @@ -23,7 +23,7 @@ __PACKAGE__->register_method ({
>      method => 'GET',
>      description => "Pool index.",
>      permissions => { 
> -	description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.",
> +	description => "List all pools where you have Pool.Audit or VM.Allocate permissions on /pool/<pool>.",

for backwards-compat we need to still accept Pool.Allocate as well 

there might be custom roles out there that have Pool.Allocate, those 
would now not be able to see their pool anymore unless they happen to 
have VM.Allocate on that pool as well which is not a given.

we could drop Pool.Allocate for 7.0 if we want to break compat at that 
point..

>  	user => 'all',
>      },
>      parameters => {
> @@ -51,7 +51,7 @@ __PACKAGE__->register_method ({
>  	my $usercfg = $rpcenv->{user_cfg};
>  
>  	foreach my $pool (keys %{$usercfg->{pools}}) {
> -	    next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1);
> +	    next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Audit', 'VM.Allocate' ], 1);

which means this has to be changed

>  
>  	    my $entry = { poolid => $pool };
>  	    my $data = $usercfg->{pools}->{$pool};
> @@ -202,7 +202,7 @@ __PACKAGE__->register_method ({
>      path => '{poolid}', 
>      method => 'GET',
>      permissions => { 
> -	check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
> +	check => ['perm', '/pool/{poolid}', ['Pool.Audit']],

same here

>      },
>      description => "Get pool configuration.",
>      parameters => {
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
>

More information about the pve-devel mailing list