From 90c75580b6099d726467c46e1b4cdcda13cf185f Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Mon, 8 Feb 2016 14:51:38 +0100 Subject: [PATCH] add permissions to allow non root ceph configuration Do not only allow root@pam to admin ceph server as some user do not want to allow root logins and users with the Sys.Modify permission should be able to modify ceph related stuff. We use basically the following permissions: Sys.Modify: for any delete, add, modify action (POST, PUT, DELETE) Sys.Audit and Datastore.Audit: for any status/information view action (GET) Sys.Log: for viewing the Ceph log (was already implemented) We have two exceptions creating and destroying osds. Those may only be done by 'root@pam' for security reasons. Also show users with any of those capabilities the ceph tab in the web GUI. Addresses bug#818 --- PVE/API2/Ceph.pm | 51 ++++++++++++++++++++++++++++++++++++++ www/manager/node/Config.js | 4 +++ 2 files changed, 55 insertions(+) diff --git a/PVE/API2/Ceph.pm b/PVE/API2/Ceph.pm index e8319890..786eecf7 100644 --- a/PVE/API2/Ceph.pm +++ b/PVE/API2/Ceph.pm @@ -61,6 +61,9 @@ __PACKAGE__->register_method ({ description => "Get Ceph osd list/tree.", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1], + }, parameters => { additionalProperties => 0, properties => { @@ -378,6 +381,9 @@ __PACKAGE__->register_method ({ description => "ceph osd in", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Modify' ]], + }, parameters => { additionalProperties => 0, properties => { @@ -414,6 +420,9 @@ __PACKAGE__->register_method ({ description => "ceph osd out", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Modify' ]], + }, parameters => { additionalProperties => 0, properties => { @@ -486,6 +495,9 @@ __PACKAGE__->register_method ({ method => 'GET', description => "Directory index.", permissions => { user => 'all' }, + permissions => { + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1], + }, parameters => { additionalProperties => 0, properties => { @@ -527,6 +539,9 @@ __PACKAGE__->register_method ({ description => "List local disks.", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1], + }, parameters => { additionalProperties => 0, properties => { @@ -588,6 +603,9 @@ __PACKAGE__->register_method ({ name => 'config', path => 'config', method => 'GET', + permissions => { + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1], + }, description => "Get Ceph configuration.", parameters => { additionalProperties => 0, @@ -613,6 +631,9 @@ __PACKAGE__->register_method ({ description => "Get Ceph monitor list.", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1], + }, parameters => { additionalProperties => 0, properties => { @@ -679,6 +700,9 @@ __PACKAGE__->register_method ({ description => "Create initial ceph default configuration and setup symlinks.", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Modify' ]], + }, parameters => { additionalProperties => 0, properties => { @@ -788,6 +812,9 @@ __PACKAGE__->register_method ({ description => "Create Ceph Monitor", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Modify' ]], + }, parameters => { additionalProperties => 0, properties => { @@ -915,6 +942,9 @@ __PACKAGE__->register_method ({ description => "Destroy Ceph monitor.", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Modify' ]], + }, parameters => { additionalProperties => 0, properties => { @@ -980,6 +1010,9 @@ __PACKAGE__->register_method ({ description => "Stop ceph services.", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Modify' ]], + }, parameters => { additionalProperties => 0, properties => { @@ -1027,6 +1060,9 @@ __PACKAGE__->register_method ({ description => "Start ceph services.", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Modify' ]], + }, parameters => { additionalProperties => 0, properties => { @@ -1074,6 +1110,9 @@ __PACKAGE__->register_method ({ description => "Get ceph status.", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1], + }, parameters => { additionalProperties => 0, properties => { @@ -1097,6 +1136,9 @@ __PACKAGE__->register_method ({ description => "List all pools.", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1], + }, parameters => { additionalProperties => 0, properties => { @@ -1159,6 +1201,9 @@ __PACKAGE__->register_method ({ description => "Create POOL", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Modify' ]], + }, parameters => { additionalProperties => 0, properties => { @@ -1263,6 +1308,9 @@ __PACKAGE__->register_method ({ description => "Destroy pool", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Modify' ]], + }, parameters => { additionalProperties => 0, properties => { @@ -1300,6 +1348,9 @@ __PACKAGE__->register_method ({ description => "Get OSD crush map", proxyto => 'node', protected => 1, + permissions => { + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1], + }, parameters => { additionalProperties => 0, properties => { diff --git a/www/manager/node/Config.js b/www/manager/node/Config.js index e6c7ae10..bc0494ea 100644 --- a/www/manager/node/Config.js +++ b/www/manager/node/Config.js @@ -197,6 +197,10 @@ Ext.define('PVE.node.Config', { nodename: nodename } ]); + } + + if (caps.nodes['Sys.Modify'] || caps.nodes['Sys.Audit'] || + caps.nodes['Sys.Log']) { me.items.push([{ title: 'Ceph', itemId: 'ceph',