[pve-devel] [RFC PATCH access-control] loosen locking restriction for users without tfa configured

Thu Sep 15 14:53:04 CEST 2022

Am 15/09/2022 um 14:40 schrieb Dominik Csapak:
> On 9/15/22 12:43, Thomas Lamprecht wrote:
>> Am 14/09/2022 um 15:42 schrieb Dominik Csapak:
>>> The downside is that we cannot authenticate users anymore without quorum
>>> (since locking requires write access to pmxcfs), even for users without
>>> tfa configured (and also for clusters without any tfa configured at all)
>>
>> question is more if we should disallow login on unquorate clusters for all
>> but root at pam, as for all others you cannot be sure if they still got the
>> permissions and for the pve realm the credentials are still correct, or
>> if the non-existing TFA entry is still up-to-date (the quorate partition
>> could have TFA configured for that user since cluster split).
> 
> fair point, but then we'd also have to deny api requests in general
> for non root at pam users when the cluster is not quorate,
> otherwise they can continue making requests with existing tickets
> (aside creating a new one)

That is something rather different and bound to the ticket life time, they
won't be able to renew the ticket or create new ones, so while the session
continues to be available for maximal 2h for GET calls it has already the
same limitations as new logins. IOW. if you want to see that as the same thing
you need to adapt tickets to have a cluster state first that can actively
be revoked on a per-ticket/user basis, as otherwise it'll always be "valid
ticket = valid login".

>>
>> root at pam is a hard-coded super admin and verified via PAM, which normally
>> should be pmxcfs, and thus quorum, independent, at least if nobody was crazy
>> enough to link /etc/shadow to a file in pmxcfs or wrote a PAM that works
>> on pmxcfs info in other ways.
> 
> AFAICS a user can't do anything on a non quorate cluster that wouldn't be possible
> over ssh for example ? since most operations already need the cluster to be quorate
> (aside from things such as network configuration, which might be the exact reason
> why the cluster is not quorate, so the admin/user wants to fix it)
> 
> so imho @pam could be allowed in general, but for the other realms it's
> very much a design decision.

Standard pam accounts do not get their Proxmox VE access level if connected via
SSH (or getting a shell in any other way), as the CLIHandler isn't user account
aware, so not sure how that would be an argument for allowing all of pam (which
may not even be allowed to SSH in or login (e.g., shell to /bin/false or the like,
you just cannot (simply!) derive/know that)

> 
> just to note: before accidentally breaking such logins by locking the tfa
> config, we always let users login, regardless of cluster quorum state
> 

yes I know, the question if that's right still stands, more secure is to not
allow it, and iff, we could provide a datacenter.cfg option to allow such things
with the (natural) warning that changes to that will only affected quorate notes.