proxmox-mirrors/pve-manager
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-manager synced 2025-08-09 14:37:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add permissions to allow non root ceph configuration

Browse Source 
Do not only allow root@pam to admin ceph server as some user do not
want to allow root logins and users with the Sys.Modify permission
should be able to modify ceph related stuff.

We use basically the following permissions:
 Sys.Modify:
    for any delete, add, modify action (POST, PUT, DELETE)
 Sys.Audit and Datastore.Audit:
    for any status/information view action (GET)
 Sys.Log:
    for viewing the Ceph log (was already implemented)

We have two exceptions creating and destroying osds. Those may only
be done by 'root@pam' for security reasons.

Also show users with any of those capabilities the ceph tab in the
web GUI.

Addresses bug#818
This commit is contained in:
Thomas Lamprecht 2016-02-08 14:51:38 +01:00 committed by Dietmar Maurer
parent feaf335817
commit 90c75580b6
2 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
PVE/API2/Ceph.pm
View File

@ -61,6 +61,9 @@ __PACKAGE__->register_method ({
description => "Get Ceph osd list/tree.", description => "Get Ceph osd list/tree.",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -378,6 +381,9 @@ __PACKAGE__->register_method ({
description => "ceph osd in", description => "ceph osd in",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -414,6 +420,9 @@ __PACKAGE__->register_method ({
description => "ceph osd out", description => "ceph osd out",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -486,6 +495,9 @@ __PACKAGE__->register_method ({
method => 'GET', method => 'GET',
description => "Directory index.", description => "Directory index.",
permissions => { user => 'all' }, permissions => { user => 'all' },
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -527,6 +539,9 @@ __PACKAGE__->register_method ({
description => "List local disks.", description => "List local disks.",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -588,6 +603,9 @@ __PACKAGE__->register_method ({
name => 'config', name => 'config',
path => 'config', path => 'config',
method => 'GET', method => 'GET',
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
description => "Get Ceph configuration.", description => "Get Ceph configuration.",
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
@ -613,6 +631,9 @@ __PACKAGE__->register_method ({
description => "Get Ceph monitor list.", description => "Get Ceph monitor list.",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -679,6 +700,9 @@ __PACKAGE__->register_method ({
description => "Create initial ceph default configuration and setup symlinks.", description => "Create initial ceph default configuration and setup symlinks.",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -788,6 +812,9 @@ __PACKAGE__->register_method ({
description => "Create Ceph Monitor", description => "Create Ceph Monitor",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -915,6 +942,9 @@ __PACKAGE__->register_method ({
description => "Destroy Ceph monitor.", description => "Destroy Ceph monitor.",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -980,6 +1010,9 @@ __PACKAGE__->register_method ({
description => "Stop ceph services.", description => "Stop ceph services.",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -1027,6 +1060,9 @@ __PACKAGE__->register_method ({
description => "Start ceph services.", description => "Start ceph services.",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -1074,6 +1110,9 @@ __PACKAGE__->register_method ({
description => "Get ceph status.", description => "Get ceph status.",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -1097,6 +1136,9 @@ __PACKAGE__->register_method ({
description => "List all pools.", description => "List all pools.",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -1159,6 +1201,9 @@ __PACKAGE__->register_method ({
description => "Create POOL", description => "Create POOL",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -1263,6 +1308,9 @@ __PACKAGE__->register_method ({
description => "Destroy pool", description => "Destroy pool",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Modify' ]],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {
@ -1300,6 +1348,9 @@ __PACKAGE__->register_method ({
description => "Get OSD crush map", description => "Get OSD crush map",
proxyto => 'node', proxyto => 'node',
protected => 1, protected => 1,
permissions => {
check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
},
parameters => { parameters => {
additionalProperties => 0, additionalProperties => 0,
properties => { properties => {

4
www/manager/node/Config.js
View File

@ -197,6 +197,10 @@ Ext.define('PVE.node.Config', {
nodename: nodename nodename: nodename
} }
]); ]);
}
if (caps.nodes['Sys.Modify'] || caps.nodes['Sys.Audit'] ||
caps.nodes['Sys.Log']) {
me.items.push([{ me.items.push([{
title: 'Ceph', title: 'Ceph',
itemId: 'ceph', itemId: 'ceph',