[pve-devel] [PATCH qemu-server v9 1/1] api: update: improve tag privilege check

Aaron Lauterer a.lauterer at proxmox.com
Tue Nov 15 09:34:15 CET 2022


a small nit inline

On 11/14/22 10:43, Dominik Csapak wrote:
> 'normal' tags require 'VM.Config.Options' on '/vm/<vmid>', but not
> allowed tags (either limited with 'user-tag-access' or 'privileged-tags'
> in the datacenter config) require 'Sys.Modify' on '/'
> 
> this patch implements the proper checks on adding/editing/deleting
> these permissions
> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> changes from v8:
> * adapt to 'get_allowed_tags'
> * cache privilege checks (so we don't have to do it when many tags change)
>   PVE/API2/Qemu.pm | 53 +++++++++++++++++++++++++++++++++++++++++++++++-
>   1 file changed, 52 insertions(+), 1 deletion(-)
> 
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index 30348e6..269451c 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -539,7 +539,6 @@ my $generaloptions = {
>       'startup' => 1,
>       'tdf' => 1,
>       'template' => 1,
> -    'tags' => 1,
>   };
>   
>   my $vmpoweroptions = {
> @@ -609,6 +608,7 @@ my $check_vm_modify_config_perm = sub {
>   	next if PVE::QemuServer::is_valid_drivename($opt);
>   	next if $opt eq 'cdrom';
>   	next if $opt =~ m/^(?:unused|serial|usb)\d+$/;
> +	next if $opt eq 'tags';
>   
>   
>   	if ($cpuoptions->{$opt} || $opt =~ m/^numa\d+$/) {
> @@ -1631,6 +1631,31 @@ my $update_vm_api  = sub {
>   		}
>   	    };
>   
> +	    my $allowed_tags;
> +	    my $privileged_tags;
> +	    my $freeform;
> +	    my $privileged_user = $rpcenv->check($authuser, '/', ['Sys.Modify'], 1);
> +	    my $has_config_options =
> +		$rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Options'], 1);
> +
> +	    my $check_tag_perms = sub {
> +		my ($tag) = @_;
> +
> +		return if $privileged_user;
> +
> +		$rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Options'])
> +		    if !$has_config_options;
> +
> +		if (!defined($allowed_tags) && !defined($privileged_tags) && !defined($freeform)) {
> +		    ($allowed_tags, $privileged_tags, $freeform)
> +			= PVE::DataCenterConfig::get_allowed_tags($rpcenv, $authuser);
> +		}
> +
> +		if ((!$allowed_tags->{$tag} && !$freeform) || $privileged_tags->{$tag}) {
> +		    die "'Sys.Modify' required on '/' for modifying tag $tag\n" if !$privileged_user;
would be nice if the tag would be within '. Putting $tag into {} would be a bit 
cleaner as well:

... for modifying tag '${tag}'\n" ...


> +		}
> +	    };
[...]





More information about the pve-devel mailing list