[pve-devel] [PATCH qemu-server v9 1/1] api: update: improve tag privilege check
Aaron Lauterer
a.lauterer at proxmox.com
Tue Nov 15 09:34:15 CET 2022
a small nit inline
On 11/14/22 10:43, Dominik Csapak wrote:
> 'normal' tags require 'VM.Config.Options' on '/vm/<vmid>', but not
> allowed tags (either limited with 'user-tag-access' or 'privileged-tags'
> in the datacenter config) require 'Sys.Modify' on '/'
>
> this patch implements the proper checks on adding/editing/deleting
> these permissions
>
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> changes from v8:
> * adapt to 'get_allowed_tags'
> * cache privilege checks (so we don't have to do it when many tags change)
> PVE/API2/Qemu.pm | 53 +++++++++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 52 insertions(+), 1 deletion(-)
>
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index 30348e6..269451c 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -539,7 +539,6 @@ my $generaloptions = {
> 'startup' => 1,
> 'tdf' => 1,
> 'template' => 1,
> - 'tags' => 1,
> };
>
> my $vmpoweroptions = {
> @@ -609,6 +608,7 @@ my $check_vm_modify_config_perm = sub {
> next if PVE::QemuServer::is_valid_drivename($opt);
> next if $opt eq 'cdrom';
> next if $opt =~ m/^(?:unused|serial|usb)\d+$/;
> + next if $opt eq 'tags';
>
>
> if ($cpuoptions->{$opt} || $opt =~ m/^numa\d+$/) {
> @@ -1631,6 +1631,31 @@ my $update_vm_api = sub {
> }
> };
>
> + my $allowed_tags;
> + my $privileged_tags;
> + my $freeform;
> + my $privileged_user = $rpcenv->check($authuser, '/', ['Sys.Modify'], 1);
> + my $has_config_options =
> + $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Options'], 1);
> +
> + my $check_tag_perms = sub {
> + my ($tag) = @_;
> +
> + return if $privileged_user;
> +
> + $rpcenv->check_vm_perm($authuser, $vmid, undef, ['VM.Config.Options'])
> + if !$has_config_options;
> +
> + if (!defined($allowed_tags) && !defined($privileged_tags) && !defined($freeform)) {
> + ($allowed_tags, $privileged_tags, $freeform)
> + = PVE::DataCenterConfig::get_allowed_tags($rpcenv, $authuser);
> + }
> +
> + if ((!$allowed_tags->{$tag} && !$freeform) || $privileged_tags->{$tag}) {
> + die "'Sys.Modify' required on '/' for modifying tag $tag\n" if !$privileged_user;
would be nice if the tag would be within '. Putting $tag into {} would be a bit
cleaner as well:
... for modifying tag '${tag}'\n" ...
> + }
> + };
[...]
More information about the pve-devel
mailing list