[pve-devel] applied: [PATCH 1/2] disk api: avoid using unrelated Datastore.Audit priv for disk management

Thomas Lamprecht t.lamprecht at proxmox.com
Sat Jun 17 15:32:40 CEST 2023


Local disk and storage creation and listing is something rather
different than the Proxmox VE storage client ABI that provides an
abstract access to a variety of storage types, specifically targeted
to virtual guests images, templates and backups.

The Datastore.* privilege group is specifically made for auditing the
abstract configuration, here the name must be interpreted in context
and not just assumed that due to "datastore" sounding like it could
have to do something with disks or creation of local storage it just
must be a good fit.

Luckily, Sys.Audit was already used too, which is the correct one
here, this is for node specific (HW) details, not some config for
accessing datastore in a restricted way.

This is a step in splitting the disk manage code out of the
pve-storage package, and maybe even repository.

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
 src/PVE/API2/Disks.pm           | 7 ++-----
 src/PVE/API2/Disks/Directory.pm | 2 +-
 src/PVE/API2/Disks/LVM.pm       | 2 +-
 src/PVE/API2/Disks/LVMThin.pm   | 2 +-
 src/PVE/API2/Disks/ZFS.pm       | 4 ++--
 5 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/src/PVE/API2/Disks.pm b/src/PVE/API2/Disks.pm
index bde6132..f0e3fc4 100644
--- a/src/PVE/API2/Disks.pm
+++ b/src/PVE/API2/Disks.pm
@@ -85,10 +85,7 @@ __PACKAGE__->register_method ({
     protected => 1,
     proxyto => 'node',
     permissions => {
-	check => ['or',
-	    ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1],
-	    ['perm', '/nodes/{node}', ['Sys.Audit', 'Datastore.Audit'], any => 1],
-	],
+	check => ['or', ['perm', '/', ['Sys.Audit']], ['perm', '/nodes/{node}', ['Sys.Audit']]],
     },
     parameters => {
 	additionalProperties => 0,
@@ -183,7 +180,7 @@ __PACKAGE__->register_method ({
     protected => 1,
     proxyto => "node",
     permissions => {
-	check => ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1],
+	check => ['perm', '/', ['Sys.Audit']],
     },
     parameters => {
 	additionalProperties => 0,
diff --git a/src/PVE/API2/Disks/Directory.pm b/src/PVE/API2/Disks/Directory.pm
index efc701a..5cddddb 100644
--- a/src/PVE/API2/Disks/Directory.pm
+++ b/src/PVE/API2/Disks/Directory.pm
@@ -97,7 +97,7 @@ __PACKAGE__->register_method ({
     proxyto => 'node',
     protected => 1,
     permissions => {
-	check => ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1],
+	check => ['perm', '/', ['Sys.Audit']],
     },
     description => "PVE Managed Directory storages.",
     parameters => {
diff --git a/src/PVE/API2/Disks/LVM.pm b/src/PVE/API2/Disks/LVM.pm
index c091e37..f0419f6 100644
--- a/src/PVE/API2/Disks/LVM.pm
+++ b/src/PVE/API2/Disks/LVM.pm
@@ -21,7 +21,7 @@ __PACKAGE__->register_method ({
     proxyto => 'node',
     protected => 1,
     permissions => {
-	check => ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1],
+	check => ['perm', '/', ['Sys.Audit']],
     },
     description => "List LVM Volume Groups",
     parameters => {
diff --git a/src/PVE/API2/Disks/LVMThin.pm b/src/PVE/API2/Disks/LVMThin.pm
index 89b6401..bd6d47b 100644
--- a/src/PVE/API2/Disks/LVMThin.pm
+++ b/src/PVE/API2/Disks/LVMThin.pm
@@ -22,7 +22,7 @@ __PACKAGE__->register_method ({
     proxyto => 'node',
     protected => 1,
     permissions => {
-	check => ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1],
+	check => ['perm', '/', ['Sys.Audit']],
     },
     description => "List LVM thinpools",
     parameters => {
diff --git a/src/PVE/API2/Disks/ZFS.pm b/src/PVE/API2/Disks/ZFS.pm
index afd9a3e..6a4381c 100644
--- a/src/PVE/API2/Disks/ZFS.pm
+++ b/src/PVE/API2/Disks/ZFS.pm
@@ -57,7 +57,7 @@ __PACKAGE__->register_method ({
     proxyto => 'node',
     protected => 1,
     permissions => {
-	check => ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1],
+	check => ['perm', '/', ['Sys.Audit']],
     },
     description => "List Zpools.",
     parameters => {
@@ -130,7 +130,7 @@ __PACKAGE__->register_method ({
     proxyto => 'node',
     protected => 1,
     permissions => {
-	check => ['perm', '/', ['Sys.Audit', 'Datastore.Audit'], any => 1],
+	check => ['perm', '/', ['Sys.Audit']],
     },
     description => "Get details about a zpool.",
     parameters => {
-- 
2.39.2






More information about the pve-devel mailing list