fix #3402: add Pool.Audit permission

everywhere where Pool.Allocate was unnecessarly used it was replaced
with Pool.Audit.

`/cluster/resources` now returns pool infomation for guests only if
the requesting user has the Pool.Audit permission on the pool.

`/pool/` now returns only pools where the requesting user has the
Pool.Audit permission.

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
This commit is contained in:
Lorenz Stechauner 2021-05-20 12:03:40 +02:00 committed by Fabian Grünbichler
parent 027f67e46d
commit 91db3ececc
3 changed files with 11 additions and 5 deletions

View File

@ -332,7 +332,7 @@ __PACKAGE__->register_method({
for my $pool (sort keys %{$usercfg->{pools}}) {
my $d = $usercfg->{pools}->{$pool};
next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Allocate' ], 1);
next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
my $entry = {
id => "/pool/$pool",
@ -384,6 +384,11 @@ __PACKAGE__->register_method({
$entry->{lock} = $lock;
}
if (defined($entry->{pool}) &&
!$rpcenv->check($authuser, "/pool/$entry->{pool}", ['Pool.Audit'], 1)) {
delete $entry->{pool};
}
# get ha status
if (my $hatype = $hatypemap->{$entry->{type}}) {
my $sid = "$hatype:$vmid";

View File

@ -22,7 +22,7 @@ __PACKAGE__->register_method ({
method => 'GET',
description => "Pool index.",
permissions => {
description => "List all pools where you have Pool.Allocate or VM.Allocate permissions on /pool/<pool>.",
description => "List all pools where you have Pool.Audit permissions on /pool/<pool>.",
user => 'all',
},
parameters => {
@ -47,9 +47,10 @@ __PACKAGE__->register_method ({
my $usercfg = $rpcenv->{user_cfg};
my $res = [];
for my $pool (sort keys %{$usercfg->{pools}}) {
next if !$rpcenv->check_any($authuser, "/pool/$pool", [ 'Pool.Allocate', 'VM.Allocate' ], 1);
next if !$rpcenv->check($authuser, "/pool/$pool", [ 'Pool.Audit' ], 1);
my $entry = { poolid => $pool };
my $pool_config = $usercfg->{pools}->{$pool};
@ -200,7 +201,7 @@ __PACKAGE__->register_method ({
path => '{poolid}',
method => 'GET',
permissions => {
check => ['perm', '/pool/{poolid}', ['Pool.Allocate']],
check => ['perm', '/pool/{poolid}', ['Pool.Audit']],
},
description => "Get pool configuration.",
parameters => {

View File

@ -226,7 +226,7 @@ __PACKAGE__->register_method ({
my $pool = $res->{pool};
if (defined($pool) &&
!$rpcenv->check($authuser, "/pool/$pool", ['Pool.Allocate'], 1)) {
!$rpcenv->check($authuser, "/pool/$pool", ['Pool.Audit'], 1)) {
delete $res->{pool};
}