proxmox-mirrors/pve-manager
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-manager synced 2025-08-06 07:20:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add permissions to allow non root ceph configuration

Browse Source 
Do not only allow root@pam to admin ceph server as some user do not
want to allow root logins and users with the Sys.Modify permission
should be able to modify ceph related stuff.

We use basically the following permissions:
 Sys.Modify:
    for any delete, add, modify action (POST, PUT, DELETE)
 Sys.Audit and Datastore.Audit:
    for any status/information view action (GET)
 Sys.Log:
    for viewing the Ceph log (was already implemented)

We have two exceptions creating and destroying osds. Those may only
be done by 'root@pam' for security reasons.

Also show users with any of those capabilities the ceph tab in the
web GUI.

Addresses bug#818
This commit is contained in:
Thomas Lamprecht 2016-02-08 14:51:38 +01:00 committed by Dietmar Maurer
parent feaf335817
commit 90c75580b6
2 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
PVE/API2/Ceph.pm
View File

@ -61,6 +61,9 @@ __PACKAGE__->register_method ({
description => "Get Ceph osd list/tree.",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
parameters => {
additionalProperties => 0,
properties => {
@ -378,6 +381,9 @@ __PACKAGE__->register_method ({
description => "ceph osd in",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => {
additionalProperties => 0,
properties => {
@ -414,6 +420,9 @@ __PACKAGE__->register_method ({
description => "ceph osd out",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => {
additionalProperties => 0,
properties => {
@ -486,6 +495,9 @@ __PACKAGE__->register_method ({
method => 'GET',
description => "Directory index.",
permissions => { user => 'all' },
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
parameters => {
additionalProperties => 0,
properties => {
@ -527,6 +539,9 @@ __PACKAGE__->register_method ({
description => "List local disks.",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
parameters => {
additionalProperties => 0,
properties => {
@ -588,6 +603,9 @@ __PACKAGE__->register_method ({
name => 'config',
path => 'config',
method => 'GET',
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
description => "Get Ceph configuration.",
parameters => {
additionalProperties => 0,
@ -613,6 +631,9 @@ __PACKAGE__->register_method ({
description => "Get Ceph monitor list.",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
parameters => {
additionalProperties => 0,
properties => {
@ -679,6 +700,9 @@ __PACKAGE__->register_method ({
description => "Create initial ceph default configuration and setup symlinks.",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => {
additionalProperties => 0,
properties => {
@ -788,6 +812,9 @@ __PACKAGE__->register_method ({
description => "Create Ceph Monitor",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => {
additionalProperties => 0,
properties => {
@ -915,6 +942,9 @@ __PACKAGE__->register_method ({
description => "Destroy Ceph monitor.",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => {
additionalProperties => 0,
properties => {
@ -980,6 +1010,9 @@ __PACKAGE__->register_method ({
description => "Stop ceph services.",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => {
additionalProperties => 0,
properties => {
@ -1027,6 +1060,9 @@ __PACKAGE__->register_method ({
description => "Start ceph services.",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => {
additionalProperties => 0,
properties => {
@ -1074,6 +1110,9 @@ __PACKAGE__->register_method ({
description => "Get ceph status.",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
parameters => {
additionalProperties => 0,
properties => {
@ -1097,6 +1136,9 @@ __PACKAGE__->register_method ({
description => "List all pools.",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
parameters => {
additionalProperties => 0,
properties => {
@ -1159,6 +1201,9 @@ __PACKAGE__->register_method ({
description => "Create POOL",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => {
additionalProperties => 0,
properties => {
@ -1263,6 +1308,9 @@ __PACKAGE__->register_method ({
description => "Destroy pool",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => {
additionalProperties => 0,
properties => {
@ -1300,6 +1348,9 @@ __PACKAGE__->register_method ({
description => "Get OSD crush map",
proxyto => 'node',
protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
parameters => {
additionalProperties => 0,
properties => {

4
www/manager/node/Config.js
View File

@ -197,6 +197,10 @@ Ext.define('PVE.node.Config', {
nodename: nodename
}
]);
}
if (caps.nodes['Sys.Modify'] || caps.nodes['Sys.Audit'] ||
caps.nodes['Sys.Log']) {
me.items.push([{
title: 'Ceph',
itemId: 'ceph',