[pve-devel] applied: [PATCH v3 manager] pve6to7: add check for pool permissions

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Jun 18 10:56:16 CEST 2021 

with a small follow-up:

[PATCH] pve6to7: improve user.cfg parser

make it a bit more like the actual one - remove whitespace padding, use
same regex/split calls.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 PVE/CLI/pve6to7.pm | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/PVE/CLI/pve6to7.pm b/PVE/CLI/pve6to7.pm
index 4fe606f3..412fb30f 100644
--- a/PVE/CLI/pve6to7.pm
+++ b/PVE/CLI/pve6to7.pm
@@ -609,9 +609,20 @@ sub check_custom_pool_roles {
     my $raw = read_file('/etc/pve/user.cfg');
 
     my $roles = {};
-    while ($raw =~ /^\s*role:(.*?):(.*?):(.*?)\s*$/gm) {
-	my ($role, $privlist) = ($1, $2);
+    while ($raw =~ /^\s*(.+?)\s*$/gm) {
+	my $line = $1;
+	my @data;
 
+	foreach my $d (split (/:/, $line)) {
+	    $d =~ s/^\s+//;
+	    $d =~ s/\s+$//;
+	    push @data, $d
+	}
+
+	my $et = shift @data;
+	next if $et ne 'role';
+
+	my ($role, $privlist) = @data;
 	if (!PVE::AccessControl::verify_rolename($role, 1)) {
 	    warn "user config - ignore role '$role' - invalid characters in role name\n";
 	    next;
-- 
2.20.1

On June 17, 2021 10:39 am, Lorenz Stechauner wrote:
> the two checks make sure that:
> * no user defined role 'PVEPoolUser' exists
> * the user gets a hint for roles only containing Pool.Allocate and
>     not Pool.Audit
> 
> a very simple parser for user.cfg was implemented to be able to
> parse the (in pve 6 invalid) Pool.Audit permission
> 
> Signed-off-by: Lorenz Stechauner <l.stechauner at proxmox.com>
> ---
>  PVE/CLI/pve6to7.pm | 48 +++++++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 47 insertions(+), 1 deletion(-)
> 
> diff --git a/PVE/CLI/pve6to7.pm b/PVE/CLI/pve6to7.pm
> index 90f92a55..4fe606f3 100644
> --- a/PVE/CLI/pve6to7.pm
> +++ b/PVE/CLI/pve6to7.pm
> @@ -9,6 +9,7 @@ use PVE::API2::LXC;
>  use PVE::API2::Qemu;
>  use PVE::API2::Certificates;
>  
> +use PVE::AccessControl;
>  use PVE::Ceph::Tools;
>  use PVE::Cluster;
>  use PVE::Corosync;
> @@ -16,10 +17,11 @@ use PVE::INotify;
>  use PVE::JSONSchema;
>  use PVE::RPCEnvironment;
>  use PVE::Storage;
> -use PVE::Tools qw(run_command);
> +use PVE::Tools qw(run_command split_list);
>  use PVE::QemuServer;
>  use PVE::VZDump::Common;
>  
> +use File::Slurp;
>  use Term::ANSIColor;
>  
>  use PVE::CLIHandler;
> @@ -601,6 +603,49 @@ sub check_cifs_credential_location {
>      log_pass("no CIFS credentials at outdated location found.") if !$found;
>  }
>  
> +sub check_custom_pool_roles {
> +    log_info("Checking custom roles for pool permissions..");
> +
> +    my $raw = read_file('/etc/pve/user.cfg');
> +
> +    my $roles = {};
> +    while ($raw =~ /^\s*role:(.*?):(.*?):(.*?)\s*$/gm) {
> +	my ($role, $privlist) = ($1, $2);
> +
> +	if (!PVE::AccessControl::verify_rolename($role, 1)) {
> +	    warn "user config - ignore role '$role' - invalid characters in role name\n";
> +	    next;
> +	}
> +
> +	$roles->{$role} = {} if !$roles->{$role};
> +	foreach my $priv (split_list($privlist)) {
> +	    $roles->{$role}->{$priv} = 1;
> +	}
> +    }
> +
> +    foreach my $role (sort keys %{$roles}) {
> +	if (PVE::AccessControl::role_is_special($role)) {
> +	    next;
> +	}
> +
> +	if ($role eq "PVEPoolUser") {
> +	    # the user created a custom role named PVEPoolUser
> +	    log_fail("Custom role '$role' has a restricted name - a built-in role 'PVEPoolUser' will be available with the upgrade");
> +	} else {
> +	    log_pass("Custom role '$role' has no restricted name");
> +	}
> +
> +	my $perms = $roles->{$role};
> +	if ($perms->{'Pool.Allocate'} && $perms->{'Pool.Audit'}) {
> +	    log_pass("Custom role '$role' contains updated pool permissions");
> +	} elsif ($perms->{'Pool.Allocate'}) {
> +	    log_warn("Custom role '$role' contains permission 'Pool.Allocate' - to ensure same behavior add 'Pool.Audit' to this role");
> +	} else {
> +	    log_pass("Custom role '$role' contains no permissions that need to be updated");
> +	}
> +    }
> +}
> +
>  sub check_misc {
>      print_header("MISCELLANEOUS CHECKS");
>      my $ssh_config = eval { PVE::Tools::file_get_contents('/root/.ssh/config') };
> @@ -693,6 +738,7 @@ sub check_misc {
>  
>      check_backup_retention_settings();
>      check_cifs_credential_location();
> +    check_custom_pool_roles();
>  }
>  
>  __PACKAGE__->register_method ({
> -- 
> 2.30.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
>

More information about the pve-devel mailing list