[pve-devel] fix #5254: add separate Sys.AccessNetwork privilege

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Feb 23 11:21:08 CET 2024

On February 19, 2024 6:14 pm, Thomas Lamprecht wrote:
> Adds a new Sys.AccessNetwork privilege that can be used to guard API
> endpoints that can do outgoing network requests with (some) user control
> over said requests, like e.g. the "download URL to storage" one.
> ## Backstory:
> This stems from an user request [0] w.r.t. the "download image through
> and URL directly to a storage" functionality and their use case of that
> through automation while wanting to adhere to the principle of least
> privilege.
> Because before this series the access to the required endpoints was
> guarded by the more powerful Sys.Modify and Sys.Audit privilege
> requirement on the / root ACL object path.
> So, if anybody wants to set up an API token so that automation can
> handle image downloads they'd need to give that API token very powerful
> permissions to make it work.
> A more specialized privilege seems warranted now, so add the
> Sys.AccessNetwork one and adapt the /nodes/{node}/query-url-metadata and
> the related /nodes/{node}/storage/{storage}/download-url API endpoints
> for now.
> ## Testing:
> Tested by creating a new custom role with the privileges
> `Datastore.Audit,Datastore.AllocateTemplate,Sys.AccessNetwork`, then
> created a user that gets a permission with above role for a specific
> node and a storage and then try querying and downloading an image, with
> and without this patch series applied.
> ## Future Work
> We could this even re-use for other endpoints, like adding storages that
> are accessed through the network, as that provides a (limited) side
> channel too.

for the whole series:

Reviewed-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>

this seems like a sensible addition, and is hopefully neither to
specific nor too generic for future extensions.

while the dependencies are not "hard", it might still be a good idea to
bump the min versions to ensure no weird combination is moved along the
repositories (and also, it makes it easier to tell users which version
they need, since just looking at pve-manager or pve-storage depending on
the endpoint is needed).

More information about the pve-devel mailing list