[pve-devel] [RFC PATCH acces-control] auth: require quorum for ticket creaton of non PAM users

Dominik Csapak d.csapak at proxmox.com
Mon Oct 24 12:03:06 CEST 2022

when the current node is not part of the quorate partition, there is no
way to determine if a user has the proper permissions or is even still
enabled, so we should prevent ticket creation for these users.

The only exception we should make is for node-local users (PAM realm),
since there is a good chance those can login via console/ssh anyway, and
it's good to have at least some users as fallback that can still login
in such cases.

This does not prevent users from using already created tickets, nor does
it prevent api calls with api tokens (that would have to be done

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
sending as rfc, since i'm not completely sure that's what @Wolfgang and
@Thomas had in mind in [0], since it's not touching api tokens at all

0: https://lists.proxmox.com/pipermail/pve-devel/2022-October/054406.html

 src/PVE/API2/AccessControl.pm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index 104e7e3..eb0543a 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -143,6 +143,9 @@ my sub verify_auth : prototype($$$$$$$) {
 my sub create_ticket_do : prototype($$$$$$) {
     my ($rpcenv, $username, $pw_or_ticket, $otp, $new_format, $tfa_challenge) = @_;
+    # allow login for non-quorate clusters only for node-local @pam users
+    PVE::Cluster::check_cfs_quorum() if $username !~ m/\@pam$/;
     die "TFA response should be in 'password', not 'otp' when 'tfa-challenge' is set\n"
 	if defined($otp) && defined($tfa_challenge);

More information about the pve-devel mailing list