[pve-devel] [PATCH pve-firewall v5 1/5] api: add protected flag to endpoints
Stefan Hanreich
s.hanreich at proxmox.com
Mon Nov 18 12:41:30 CET 2024
In preparation for loading the SDN configuration during
load_clusterfw_conf. Since we read /etc/pve/priv/ipam.db there, we
require the protected flag to be set.
Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
---
src/PVE/API2/Firewall/Aliases.pm | 2 ++
src/PVE/API2/Firewall/Cluster.pm | 2 ++
src/PVE/API2/Firewall/Groups.pm | 1 +
src/PVE/API2/Firewall/Host.pm | 1 +
src/PVE/API2/Firewall/IPSet.pm | 2 ++
src/PVE/API2/Firewall/Rules.pm | 2 ++
src/PVE/API2/Firewall/VM.pm | 2 ++
7 files changed, 12 insertions(+)
diff --git a/src/PVE/API2/Firewall/Aliases.pm b/src/PVE/API2/Firewall/Aliases.pm
index 33ac669..2f947aa 100644
--- a/src/PVE/API2/Firewall/Aliases.pm
+++ b/src/PVE/API2/Firewall/Aliases.pm
@@ -87,6 +87,7 @@ sub register_get_aliases {
path => '',
method => 'GET',
description => "List aliases",
+ protected => 1,
permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
@@ -177,6 +178,7 @@ sub register_read_alias {
path => '{name}',
method => 'GET',
description => "Read alias.",
+ protected => 1,
permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
diff --git a/src/PVE/API2/Firewall/Cluster.pm b/src/PVE/API2/Firewall/Cluster.pm
index 48ad90d..f91257e 100644
--- a/src/PVE/API2/Firewall/Cluster.pm
+++ b/src/PVE/API2/Firewall/Cluster.pm
@@ -88,6 +88,7 @@ __PACKAGE__->register_method({
path => 'options',
method => 'GET',
description => "Get Firewall options.",
+ protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Audit' ]],
},
@@ -214,6 +215,7 @@ __PACKAGE__->register_method({
permissions => {
check => ['perm', '/', [ 'Sys.Audit' ]],
},
+ protected => 1,
parameters => {
additionalProperties => 0,
properties => {
diff --git a/src/PVE/API2/Firewall/Groups.pm b/src/PVE/API2/Firewall/Groups.pm
index ffdc45c..98b0747 100644
--- a/src/PVE/API2/Firewall/Groups.pm
+++ b/src/PVE/API2/Firewall/Groups.pm
@@ -44,6 +44,7 @@ __PACKAGE__->register_method({
path => '',
method => 'GET',
description => "List security groups.",
+ protected => 1,
permissions => { user => 'all' },
parameters => {
additionalProperties => 0,
diff --git a/src/PVE/API2/Firewall/Host.pm b/src/PVE/API2/Firewall/Host.pm
index 0432de2..8bd5da1 100644
--- a/src/PVE/API2/Firewall/Host.pm
+++ b/src/PVE/API2/Firewall/Host.pm
@@ -68,6 +68,7 @@ __PACKAGE__->register_method({
path => 'options',
method => 'GET',
description => "Get host firewall options.",
+ protected => 1,
proxyto => 'node',
permissions => {
check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index ed92d87..98c5443 100644
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -91,6 +91,7 @@ sub register_get_ipset {
path => '',
method => 'GET',
description => "List IPSet content",
+ protected => 1,
permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
@@ -586,6 +587,7 @@ sub register_index {
path => '',
method => 'GET',
description => "List IPSets",
+ protected => 1,
permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
parameters => {
additionalProperties => 0,
diff --git a/src/PVE/API2/Firewall/Rules.pm b/src/PVE/API2/Firewall/Rules.pm
index 9fcfb20..9e903d4 100644
--- a/src/PVE/API2/Firewall/Rules.pm
+++ b/src/PVE/API2/Firewall/Rules.pm
@@ -72,6 +72,7 @@ sub register_get_rules {
path => '',
method => 'GET',
description => "List rules.",
+ protected => 1,
permissions => PVE::Firewall::rules_audit_permissions($rule_env),
parameters => {
additionalProperties => 0,
@@ -120,6 +121,7 @@ sub register_get_rule {
path => '{pos}',
method => 'GET',
description => "Get single rule data.",
+ protected => 1,
permissions => PVE::Firewall::rules_audit_permissions($rule_env),
parameters => {
additionalProperties => 0,
diff --git a/src/PVE/API2/Firewall/VM.pm b/src/PVE/API2/Firewall/VM.pm
index 4222103..3400375 100644
--- a/src/PVE/API2/Firewall/VM.pm
+++ b/src/PVE/API2/Firewall/VM.pm
@@ -69,6 +69,7 @@ sub register_handlers {
path => 'options',
method => 'GET',
description => "Get VM firewall options.",
+ protected => 1,
proxyto => 'node',
permissions => {
check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
@@ -234,6 +235,7 @@ sub register_handlers {
path => 'refs',
method => 'GET',
description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
+ protected => 1,
permissions => {
check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
},
--
2.39.5
More information about the pve-devel
mailing list