X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FRPCEnvironment.pm;h=7532e9eca0245dd76f11d75dcd3c9c85081c840f;hp=3df603517a1558104ac5f5d439f61a20b6790e03;hb=5bb4e06a6440c8b67e67e14de9e42ba17a966b23;hpb=f8cc5a5f36b6480ac4d56569fc5a38c2d34d9f3d diff --git a/PVE/RPCEnvironment.pm b/PVE/RPCEnvironment.pm index 3df6035..7532e9e 100644 --- a/PVE/RPCEnvironment.pm +++ b/PVE/RPCEnvironment.pm @@ -14,6 +14,7 @@ use PVE::INotify; use PVE::Cluster; use PVE::ProcFSTools; use PVE::AccessControl; +use Cwd 'abs_path'; use CGI; # we use this singleton class to pass RPC related environment values @@ -90,68 +91,113 @@ my $register_worker = sub { # ACL cache -my $compile_acl = sub { - my ($self, $user) = @_; +my $compile_acl_path = sub { + my ($self, $user, $path) = @_; - my $res = {}; my $cfg = $self->{user_cfg}; return undef if !$cfg->{roles}; - if ($user eq 'root@pam') { # root can do anything - return {'/' => $cfg->{roles}->{'Administrator'}}; - } + die "internal error" if $user eq 'root@pam'; + + my $cache = $self->{aclcache}; + $cache->{$user} = {} if !$cache->{$user}; + my $data = $cache->{$user}; + + if (!$data->{poolroles}) { + $data->{poolroles} = {}; + + foreach my $pool (keys %{$cfg->{pools}}) { + my $d = $cfg->{pools}->{$pool}; + my @ra = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles + next if !scalar(@ra); + foreach my $vmid (keys %{$d->{vms}}) { + for my $role (@ra) { + $data->{poolroles}->{"/vms/$vmid"}->{$role} = 1; + } + } + foreach my $storeid (keys %{$d->{storage}}) { + for my $role (@ra) { + $data->{poolroles}->{"/storage/$storeid"}->{$role} = 1; + } + } + } + } - foreach my $path (sort keys %{$cfg->{acl}}) { - my @ra = PVE::AccessControl::roles($cfg, $user, $path); + my @ra = PVE::AccessControl::roles($cfg, $user, $path); - my $privs = {}; - foreach my $role (@ra) { - if (my $privset = $cfg->{roles}->{$role}) { - foreach my $p (keys %$privset) { - $privs->{$p} = 1; + # apply roles inherited from pools + # Note: assume we do not want to propagate those privs + if ($data->{poolroles}->{$path}) { + if (!($ra[0] && $ra[0] eq 'NoAccess')) { + if ($data->{poolroles}->{$path}->{NoAccess}) { + @ra = ('NoAccess'); + } else { + foreach my $role (keys %{$data->{poolroles}->{$path}}) { + push @ra, $role; } } } + } - $res->{$path} = $privs; + $data->{roles}->{$path} = [ @ra ]; + + my $privs = {}; + foreach my $role (@ra) { + if (my $privset = $cfg->{roles}->{$role}) { + foreach my $p (keys %$privset) { + $privs->{$p} = 1; + } + } } + $data->{privs}->{$path} = $privs; - return $res; + return $privs; }; +sub roles { + my ($self, $user, $path) = @_; + + if ($user eq 'root@pam') { # root can do anything + return ('Administrator'); + } + + $user = PVE::AccessControl::verify_username($user, 1); + return () if !$user; + + my $cache = $self->{aclcache}; + $cache->{$user} = {} if !$cache->{$user}; + + my $acl = $cache->{$user}; + + my $roles = $acl->{roles}->{$path}; + return @$roles if $roles; + + &$compile_acl_path($self, $user, $path); + $roles = $acl->{roles}->{$path} || []; + return @$roles; +} + sub permissions { my ($self, $user, $path) = @_; + if ($user eq 'root@pam') { # root can do anything + my $cfg = $self->{user_cfg}; + return $cfg->{roles}->{'Administrator'}; + } + $user = PVE::AccessControl::verify_username($user, 1); return {} if !$user; my $cache = $self->{aclcache}; + $cache->{$user} = {} if !$cache->{$user}; my $acl = $cache->{$user}; - if (!$acl) { - if (!($acl = &$compile_acl($self, $user))) { - return {}; - } - $cache->{$user} = $acl; - } - - my $perm; - - if (!($perm = $acl->{$path})) { - $perm = {}; - foreach my $p (sort keys %$acl) { - my $final = ($path eq $p); - - next if !(($p eq '/') || $final || ($path =~ m|^$p/|)); + my $perm = $acl->{privs}->{$path}; + return $perm if $perm; - $perm = $acl->{$p}; - } - $acl->{$path} = $perm; - } - - return $perm; + return &$compile_acl_path($self, $user, $path); } sub check { @@ -191,6 +237,15 @@ sub check_any { raise_perm_exc("$path, " . join("|", @$privs)); }; +sub check_full { + my ($self, $username, $path, $privs, $any, $noerr) = @_; + if ($any) { + return $self->check_any($username, $path, $privs, $noerr); + } else { + return $self->check($username, $path, $privs, $noerr); + } +} + sub check_user_enabled { my ($self, $user, $noerr) = @_; @@ -205,6 +260,54 @@ sub check_user_exist { return PVE::AccessControl::check_user_exist($cfg, $user, $noerr); } +sub check_pool_exist { + my ($self, $pool, $noerr) = @_; + + my $cfg = $self->{user_cfg}; + + return 1 if $cfg->{pools}->{$pool}; + + return undef if $noerr; + + raise_perm_exc("pool '$pool' does not exist"); +} + +sub check_vm_perm { + my ($self, $user, $vmid, $pool, $privs, $any, $noerr) = @_; + + my $cfg = $self->{user_cfg}; + + if ($pool) { + return if $self->check_full($user, "/pool/$pool", $privs, $any, 1); + } + return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr); +}; + +sub check_volume_access { + my ($self, $user, $storecfg, $vmid, $volid) = @_; + + # test if we have read access to volid + + my $path; + my ($sid, $volname) = PVE::Storage::parse_volume_id($volid, 1); + if ($sid) { + my ($ownervm, $vtype); + ($path, $ownervm, $vtype) = PVE::Storage::path($storecfg, $volid); + if ($vtype eq 'iso' || $vtype eq 'vztmpl') { + # we simply allow access + } elsif (!$ownervm || ($ownervm != $vmid)) { + # allow if we are Datastore administrator + $self->check($user, "/storage/$sid", ['Datastore.Allocate']); + } + } else { + die "Only root can pass arbitrary filesystem paths." + if $user ne 'root@pam'; + + $path = abs_path($volid); + } + return $path; +} + sub is_group_member { my ($self, $group, $user) = @_; @@ -223,14 +326,8 @@ sub filter_groups { my $groups = {}; foreach my $group (keys %{$cfg->{groups}}) { my $path = "/access/groups/$group"; - if ($any) { - if ($self->check_any($user, $path, $privs, 1)) { - $groups->{$group} = $cfg->{groups}->{$group}; - } - } else { - if ($self->check($user, $path, $privs, 1)) { - $groups->{$group} = $cfg->{groups}->{$group}; - } + if ($self->check_full($user, $path, $privs, $any, 1)) { + $groups->{$group} = $cfg->{groups}->{$group}; } } @@ -254,6 +351,23 @@ sub group_member_join { return $users; } +sub check_perm_modify { + my ($self, $username, $path, $noerr) = @_; + + return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path; + + my $testperms = [ 'Permissions.Modify' ]; + if ($path =~ m|^/storage/.+$|) { + push @$testperms, 'Datastore.Allocate'; + } elsif ($path =~ m|^/vms/.+$|) { + push @$testperms, 'VM.Allocate'; + } elsif ($path =~ m|^/pool/.+$|) { + push @$testperms, 'Pool.Allocate'; + } + + return $self->check_any($username, $path, $testperms, $noerr); +} + sub exec_api2_perm_check { my ($self, $check, $username, $param, $noerr) = @_; @@ -278,21 +392,23 @@ sub exec_api2_perm_check { my ($t, $tmplpath, $privs, %options) = @$check; my $any = $options{any}; die "missing parameters" if !($tmplpath && $privs); - my $path = PVE::Tools::template_replace($tmplpath, $param); - if ($any) { - return $self->check_any($username, $path, $privs, $noerr); - } else { - return $self->check($username, $path, $privs, $noerr); + my $require_param = $options{require_param}; + if ($require_param && !defined($param->{$require_param})) { + return 0 if $noerr; + raise_perm_exc(); } + my $path = PVE::Tools::template_replace($tmplpath, $param); + $path = PVE::AccessControl::normalize_path($path); + return $self->check_full($username, $path, $privs, $any, $noerr); } elsif ($test eq 'userid-group') { my $userid = $param->{userid}; my ($t, $privs, %options) = @$check; - return if !$options{groups_param} && !$self->check_user_exist($userid, $noerr); - if (!$self->check_any($username, "/access", $privs, 1)) { + return 0 if !$options{groups_param} && !$self->check_user_exist($userid, $noerr); + if (!$self->check_any($username, "/access/groups", $privs, 1)) { my $groups = $self->filter_groups($username, $privs, 1); if ($options{groups_param}) { my @group_param = PVE::Tools::split_list($param->{groups}); - raise_perm_exc("/access, " . join("|", @$privs)) if !scalar(@group_param); + raise_perm_exc("/access/groups, " . join("|", @$privs)) if !scalar(@group_param); foreach my $pg (@group_param) { raise_perm_exc("/access/groups/$pg, " . join("|", @$privs)) if !$groups->{$pg}; @@ -307,18 +423,26 @@ sub exec_api2_perm_check { } return 1; } elsif ($test eq 'userid-param') { - my $userid = $param->{userid}; - return if !$self->check_user_exist($userid, $noerr); + my ($userid, undef, $realm) = PVE::AccessControl::verify_username($param->{userid}); my ($t, $subtest) = @$check; die "missing parameters" if !$subtest; if ($subtest eq 'self') { - return 1 if $username eq 'userid'; + return 0 if !$self->check_user_exist($userid, $noerr); + return 1 if $username eq $userid; return 0 if $noerr; raise_perm_exc(); + } elsif ($subtest eq 'Realm.AllocateUser') { + my $path = "/access/realm/$realm"; + return $self->check($username, $path, ['Realm.AllocateUser'], $noerr); } else { die "unknown userid-param test"; } - } else { + } elsif ($test eq 'perm-modify') { + my ($t, $tmplpath) = @$check; + my $path = PVE::Tools::template_replace($tmplpath, $param); + $path = PVE::AccessControl::normalize_path($path); + return $self->check_perm_modify($username, $path, $noerr); + } else { die "unknown permission test"; } }; @@ -469,6 +593,7 @@ sub init_request { my $ucdata = PVE::Tools::file_get_contents($userconfig); my $cfg = PVE::AccessControl::parse_user_config($userconfig, $ucdata); $self->{user_cfg} = $cfg; + #print Dumper($cfg); } else { my $ucvers = PVE::Cluster::cfs_file_version('user.cfg'); if (!$self->{aclcache} || !defined($self->{aclversion}) || @@ -695,14 +820,14 @@ sub check_worker { # STDOUT,STDERR are redirected to the filename returned by upid_decode # NOTE: we simulate running in foreground if ($self->{type} eq 'cli') sub fork_worker { - my ($self, $dtype, $id, $user, $function) = @_; + my ($self, $dtype, $id, $user, $function, $background) = @_; $dtype = 'unknown' if !defined ($dtype); $id = '' if !defined ($id); $user = 'root@pve' if !defined ($user); - my $sync = $self->{type} eq 'cli' ? 1 : 0; + my $sync = ($self->{type} eq 'cli' && !$background) ? 1 : 0; local $SIG{INT} = local $SIG{QUIT} =