proxmox-mirrors/pve-manager
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-manager synced 2025-07-27 09:59:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

node console: allow usage for non-pam realms

Browse Source 
non-login commands are still restricted to root@pam if they where before.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2023-06-14 12:42:14 +02:00 committed by Thomas Lamprecht
parent 4fb92ae88a
commit 7914f5e7b2
1 changed files with 1 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
PVE/API2/Nodes.pm
View File

@ -939,7 +939,6 @@ __PACKAGE__->register_method ({
method => 'POST', method => 'POST',
protected => 1, protected => 1,
permissions => { permissions => {
description => "Restricted to users on realm 'pam'",
check => ['perm', '/nodes/{node}', [ 'Sys.Console' ]], check => ['perm', '/nodes/{node}', [ 'Sys.Console' ]],
}, },
description => "Creates a VNC Shell proxy.", description => "Creates a VNC Shell proxy.",
@ -998,7 +997,6 @@ __PACKAGE__->register_method ({
my $rpcenv = PVE::RPCEnvironment::get(); my $rpcenv = PVE::RPCEnvironment::get();
my ($user, undef, $realm) = PVE::AccessControl::verify_username($rpcenv->get_user()); my ($user, undef, $realm) = PVE::AccessControl::verify_username($rpcenv->get_user());
raise_perm_exc("realm != pam") if $realm ne 'pam';
if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root@pam') { if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root@pam') {
raise_perm_exc('user != root@pam'); raise_perm_exc('user != root@pam');
@ -1079,7 +1077,6 @@ __PACKAGE__->register_method ({
method => 'POST', method => 'POST',
protected => 1, protected => 1,
permissions => { permissions => {
description => "Restricted to users on realm 'pam'",
check => ['perm', '/nodes/{node}', [ 'Sys.Console' ]], check => ['perm', '/nodes/{node}', [ 'Sys.Console' ]],
}, },
description => "Creates a VNC Shell proxy.", description => "Creates a VNC Shell proxy.",
@ -1117,7 +1114,6 @@ __PACKAGE__->register_method ({
my $rpcenv = PVE::RPCEnvironment::get(); my $rpcenv = PVE::RPCEnvironment::get();
my ($user, undef, $realm) = PVE::AccessControl::verify_username($rpcenv->get_user()); my ($user, undef, $realm) = PVE::AccessControl::verify_username($rpcenv->get_user());
raise_perm_exc("realm $realm != pam") if $realm ne 'pam';
my $node = $param->{node}; my $node = $param->{node};
my $authpath = "/nodes/$node"; my $authpath = "/nodes/$node";
@ -1160,7 +1156,7 @@ __PACKAGE__->register_method({
path => 'vncwebsocket', path => 'vncwebsocket',
method => 'GET', method => 'GET',
permissions => { permissions => {
description => "Restricted to users on realm 'pam'. You also need to pass a valid ticket (vncticket).", description => "You also need to pass a valid ticket (vncticket).",
check => ['perm', '/nodes/{node}', [ 'Sys.Console' ]], check => ['perm', '/nodes/{node}', [ 'Sys.Console' ]],
}, },
description => "Opens a websocket for VNC traffic.", description => "Opens a websocket for VNC traffic.",
@ -1194,8 +1190,6 @@ __PACKAGE__->register_method({
my ($user, undef, $realm) = PVE::AccessControl::verify_username($rpcenv->get_user()); my ($user, undef, $realm) = PVE::AccessControl::verify_username($rpcenv->get_user());
raise_perm_exc("realm != pam") if $realm ne 'pam';
my $authpath = "/nodes/$param->{node}"; my $authpath = "/nodes/$param->{node}";
PVE::AccessControl::verify_vnc_ticket($param->{vncticket}, $user, $authpath); PVE::AccessControl::verify_vnc_ticket($param->{vncticket}, $user, $authpath);
@ -1212,7 +1206,6 @@ __PACKAGE__->register_method ({
protected => 1, protected => 1,
proxyto => 'node', proxyto => 'node',
permissions => { permissions => {
description => "Restricted to users on realm 'pam'",
check => ['perm', '/nodes/{node}', [ 'Sys.Console' ]], check => ['perm', '/nodes/{node}', [ 'Sys.Console' ]],
}, },
description => "Creates a SPICE shell.", description => "Creates a SPICE shell.",
@ -1246,7 +1239,6 @@ __PACKAGE__->register_method ({
my ($user, undef, $realm) = PVE::AccessControl::verify_username($authuser); my ($user, undef, $realm) = PVE::AccessControl::verify_username($authuser);
raise_perm_exc("realm != pam") if $realm ne 'pam';
if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root@pam') { if (defined($param->{cmd}) && $param->{cmd} ne 'login' && $user ne 'root@pam') {
raise_perm_exc('user != root@pam'); raise_perm_exc('user != root@pam');