X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FRPCEnvironment.pm;h=b3a7dc7ade4072e576e2b0b9b661f9512a6049a5;hp=1bdd0fc4d27abf349b43c218a735dcdbd206b888;hb=66c62938308e21686396338dfefd396a6db0c519;hpb=5bf71a968e93e7d6e1c00257ff116f050f8493cd diff --git a/PVE/RPCEnvironment.pm b/PVE/RPCEnvironment.pm index 1bdd0fc..b3a7dc7 100644 --- a/PVE/RPCEnvironment.pm +++ b/PVE/RPCEnvironment.pm @@ -2,9 +2,12 @@ package PVE::RPCEnvironment; use strict; use warnings; -use POSIX ":sys_wait_h"; +use POSIX qw(:sys_wait_h EINTR); +use IO::Handle; use IO::File; +use IO::Select; use Fcntl qw(:flock); +use PVE::Exception qw(raise raise_perm_exc); use PVE::SafeSyslog; use PVE::Tools; use PVE::INotify; @@ -86,87 +89,381 @@ my $register_worker = sub { # ACL cache -my $compile_acl = sub { - my ($self, $user) = @_; +my $compile_acl_path = sub { + my ($self, $user, $path) = @_; - my $res = {}; my $cfg = $self->{user_cfg}; return undef if !$cfg->{roles}; - if ($user eq 'root@pam') { # root can do anything - return {'/' => $cfg->{roles}->{'Administrator'}}; - } + die "internal error" if $user eq 'root@pam'; + + my $cache = $self->{aclcache}; + $cache->{$user} = {} if !$cache->{$user}; + my $data = $cache->{$user}; + + if (!$data->{poolroles}) { + $data->{poolroles} = {}; + + foreach my $pool (keys %{$cfg->{pools}}) { + my $d = $cfg->{pools}->{$pool}; + my @ra = PVE::AccessControl::roles($cfg, $user, "/pool/$pool"); # pool roles + next if !scalar(@ra); + foreach my $vmid (keys %{$d->{vms}}) { + for my $role (@ra) { + $data->{poolroles}->{"/vms/$vmid"}->{$role} = 1; + } + } + foreach my $storeid (keys %{$d->{storage}}) { + for my $role (@ra) { + $data->{poolroles}->{"/storage/$storeid"}->{$role} = 1; + } + } + } + } - foreach my $path (sort keys %{$cfg->{acl}}) { - my @ra = PVE::AccessControl::roles($cfg, $user, $path); + my @ra = PVE::AccessControl::roles($cfg, $user, $path); - my $privs = {}; - foreach my $role (@ra) { - if (my $privset = $cfg->{roles}->{$role}) { - foreach my $p (keys %$privset) { - $privs->{$p} = 1; + # apply roles inherited from pools + # Note: assume we do not want to propagate those privs + if ($data->{poolroles}->{$path}) { + if (!($ra[0] && $ra[0] eq 'NoAccess')) { + if ($data->{poolroles}->{$path}->{NoAccess}) { + @ra = ('NoAccess'); + } else { + foreach my $role (keys %{$data->{poolroles}->{$path}}) { + push @ra, $role; } } } + } - $res->{$path} = $privs; + $data->{roles}->{$path} = [ @ra ]; + + my $privs = {}; + foreach my $role (@ra) { + if (my $privset = $cfg->{roles}->{$role}) { + foreach my $p (keys %$privset) { + $privs->{$p} = 1; + } + } } + $data->{privs}->{$path} = $privs; - return $res; + return $privs; }; +sub roles { + my ($self, $user, $path) = @_; + + if ($user eq 'root@pam') { # root can do anything + return ('Administrator'); + } + + $user = PVE::AccessControl::verify_username($user, 1); + return () if !$user; + + my $cache = $self->{aclcache}; + $cache->{$user} = {} if !$cache->{$user}; + + my $acl = $cache->{$user}; + + my $roles = $acl->{roles}->{$path}; + return @$roles if $roles; + + &$compile_acl_path($self, $user, $path); + $roles = $acl->{roles}->{$path} || []; + return @$roles; +} + sub permissions { my ($self, $user, $path) = @_; + if ($user eq 'root@pam') { # root can do anything + my $cfg = $self->{user_cfg}; + return $cfg->{roles}->{'Administrator'}; + } + $user = PVE::AccessControl::verify_username($user, 1); return {} if !$user; my $cache = $self->{aclcache}; + $cache->{$user} = {} if !$cache->{$user}; my $acl = $cache->{$user}; - if (!$acl) { - if (!($acl = &$compile_acl($self, $user))) { - return {}; - } - $cache->{$user} = $acl; - } + my $perm = $acl->{privs}->{$path}; + return $perm if $perm; + + return &$compile_acl_path($self, $user, $path); +} - my $perm; +sub check { + my ($self, $user, $path, $privs, $noerr) = @_; - if (!($perm = $acl->{$path})) { - $perm = {}; - foreach my $p (sort keys %$acl) { - my $final = ($path eq $p); - - next if !(($p eq '/') || $final || ($path =~ m|^$p/|)); + my $perm = $self->permissions($user, $path); - $perm = $acl->{$p}; + foreach my $priv (@$privs) { + PVE::AccessControl::verify_privname($priv); + if (!$perm->{$priv}) { + return undef if $noerr; + raise_perm_exc("$path, $priv"); } - $acl->{$path} = $perm; - } + }; - return $perm; -} + return 1; +}; -sub check { - my ($self, $user, $path, $privs) = @_; +sub check_any { + my ($self, $user, $path, $privs, $noerr) = @_; my $perm = $self->permissions($user, $path); + my $found = 0; foreach my $priv (@$privs) { - return undef if !$perm->{$priv}; + PVE::AccessControl::verify_privname($priv); + if ($perm->{$priv}) { + $found = 1; + last; + } }; - return 1; + return 1 if $found; + + return undef if $noerr; + + raise_perm_exc("$path, " . join("|", @$privs)); }; -sub user_enabled { - my ($self, $user) = @_; +sub check_full { + my ($self, $username, $path, $privs, $any, $noerr) = @_; + if ($any) { + return $self->check_any($username, $path, $privs, $noerr); + } else { + return $self->check($username, $path, $privs, $noerr); + } +} + +sub check_user_enabled { + my ($self, $user, $noerr) = @_; my $cfg = $self->{user_cfg}; - return PVE::AccessControl::user_enabled($cfg, $user); + return PVE::AccessControl::check_user_enabled($cfg, $user, $noerr); +} + +sub check_user_exist { + my ($self, $user, $noerr) = @_; + + my $cfg = $self->{user_cfg}; + return PVE::AccessControl::check_user_exist($cfg, $user, $noerr); +} + +sub check_pool_exist { + my ($self, $pool, $noerr) = @_; + + my $cfg = $self->{user_cfg}; + + return 1 if $cfg->{pools}->{$pool}; + + return undef if $noerr; + + raise_perm_exc("pool '$pool' does not exist"); +} + +sub check_vm_perm { + my ($self, $user, $vmid, $pool, $privs, $any, $noerr) = @_; + + my $cfg = $self->{user_cfg}; + + if ($pool) { + return if $self->check_full($user, "/pool/$pool", $privs, $any, 1); + } + return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr); +}; + +sub check_volume_access { + my ($self, $user, $storecfg, $vmid, $volid) = @_; + + # test if we have read access to volid + + my ($sid, $volname) = PVE::Storage::parse_volume_id($volid, 1); + if ($sid) { + my ($vtype, undef, $ownervm) = PVE::Storage::parse_volname($storecfg, $volid); + if ($vtype eq 'iso' || $vtype eq 'vztmpl') { + # we simply allow access + } elsif (defined($ownervm) && defined($vmid) && ($ownervm == $vmid)) { + # we are owner - allow access + } elsif ($vtype eq 'backup' && $ownervm) { + $self->check($user, "/storage/$sid", ['Datastore.AllocateSpace']); + $self->check($user, "/vms/$ownervm", ['VM.Backup']); + } else { + # allow if we are Datastore administrator + $self->check($user, "/storage/$sid", ['Datastore.Allocate']); + } + } else { + die "Only root can pass arbitrary filesystem paths." + if $user ne 'root@pam'; + } + + return undef; +} + +sub is_group_member { + my ($self, $group, $user) = @_; + + my $cfg = $self->{user_cfg}; + + return 0 if !$cfg->{groups}->{$group}; + + return defined($cfg->{groups}->{$group}->{users}->{$user}); +} + +sub filter_groups { + my ($self, $user, $privs, $any) = @_; + + my $cfg = $self->{user_cfg}; + + my $groups = {}; + foreach my $group (keys %{$cfg->{groups}}) { + my $path = "/access/groups/$group"; + if ($self->check_full($user, $path, $privs, $any, 1)) { + $groups->{$group} = $cfg->{groups}->{$group}; + } + } + + return $groups; +} + +sub group_member_join { + my ($self, $grouplist) = @_; + + my $users = {}; + + my $cfg = $self->{user_cfg}; + foreach my $group (@$grouplist) { + my $data = $cfg->{groups}->{$group}; + next if !$data; + foreach my $user (keys %{$data->{users}}) { + $users->{$user} = 1; + } + } + + return $users; +} + +sub check_perm_modify { + my ($self, $username, $path, $noerr) = @_; + + return $self->check($username, '/access', [ 'Permissions.Modify' ], $noerr) if !$path; + + my $testperms = [ 'Permissions.Modify' ]; + if ($path =~ m|^/storage/.+$|) { + push @$testperms, 'Datastore.Allocate'; + } elsif ($path =~ m|^/vms/.+$|) { + push @$testperms, 'VM.Allocate'; + } elsif ($path =~ m|^/pool/.+$|) { + push @$testperms, 'Pool.Allocate'; + } + + return $self->check_any($username, $path, $testperms, $noerr); +} + +sub exec_api2_perm_check { + my ($self, $check, $username, $param, $noerr) = @_; + + # syslog("info", "CHECK " . join(', ', @$check)); + + my $ind = 0; + my $test = $check->[$ind++]; + die "no permission test specified" if !$test; + + if ($test eq 'and') { + while (my $subcheck = $check->[$ind++]) { + $self->exec_api2_perm_check($subcheck, $username, $param); + } + return 1; + } elsif ($test eq 'or') { + while (my $subcheck = $check->[$ind++]) { + return 1 if $self->exec_api2_perm_check($subcheck, $username, $param, 1); + } + return 0 if $noerr; + raise_perm_exc(); + } elsif ($test eq 'perm') { + my ($t, $tmplpath, $privs, %options) = @$check; + my $any = $options{any}; + die "missing parameters" if !($tmplpath && $privs); + my $require_param = $options{require_param}; + if ($require_param && !defined($param->{$require_param})) { + return 0 if $noerr; + raise_perm_exc(); + } + my $path = PVE::Tools::template_replace($tmplpath, $param); + $path = PVE::AccessControl::normalize_path($path); + return $self->check_full($username, $path, $privs, $any, $noerr); + } elsif ($test eq 'userid-group') { + my $userid = $param->{userid}; + my ($t, $privs, %options) = @$check; + return 0 if !$options{groups_param} && !$self->check_user_exist($userid, $noerr); + if (!$self->check_any($username, "/access/groups", $privs, 1)) { + my $groups = $self->filter_groups($username, $privs, 1); + if ($options{groups_param}) { + my @group_param = PVE::Tools::split_list($param->{groups}); + raise_perm_exc("/access/groups, " . join("|", @$privs)) if !scalar(@group_param); + foreach my $pg (@group_param) { + raise_perm_exc("/access/groups/$pg, " . join("|", @$privs)) + if !$groups->{$pg}; + } + } else { + my $allowed_users = $self->group_member_join([keys %$groups]); + if (!$allowed_users->{$userid}) { + return 0 if $noerr; + raise_perm_exc(); + } + } + } + return 1; + } elsif ($test eq 'userid-param') { + my ($userid, undef, $realm) = PVE::AccessControl::verify_username($param->{userid}); + my ($t, $subtest) = @$check; + die "missing parameters" if !$subtest; + if ($subtest eq 'self') { + return 0 if !$self->check_user_exist($userid, $noerr); + return 1 if $username eq $userid; + return 0 if $noerr; + raise_perm_exc(); + } elsif ($subtest eq 'Realm.AllocateUser') { + my $path = "/access/realm/$realm"; + return $self->check($username, $path, ['Realm.AllocateUser'], $noerr); + } else { + die "unknown userid-param test"; + } + } elsif ($test eq 'perm-modify') { + my ($t, $tmplpath) = @$check; + my $path = PVE::Tools::template_replace($tmplpath, $param); + $path = PVE::AccessControl::normalize_path($path); + return $self->check_perm_modify($username, $path, $noerr); + } else { + die "unknown permission test"; + } +}; + +sub check_api2_permissions { + my ($self, $perm, $username, $param) = @_; + + return 1 if !$username && $perm->{user} eq 'world'; + + raise_perm_exc("user != null") if !$username; + + return 1 if $username eq 'root@pam'; + + raise_perm_exc('user != root@pam') if !$perm; + + return 1 if $perm->{user} && $perm->{user} eq 'all'; + + return $self->exec_api2_perm_check($perm->{check}, $username, $param) + if $perm->{check}; + + raise_perm_exc(); } # initialize environment - must be called once at program startup @@ -177,7 +474,7 @@ sub init { die "already initialized" if $pve_env; - die "unknown environment type" if !$type || $type !~ m/^(cli|pub|priv)$/; + die "unknown environment type" if !$type || $type !~ m/^(cli|pub|priv|ha)$/; $SIG{CHLD} = $worker_reaper; @@ -185,6 +482,7 @@ sub init { # cli ... command started fron command line # pub ... access from public server (apache) # priv ... access from private server (pvedaemon) + # ha ... access from HA resource manager agent (rgmanager) my $self = { user_cfg => {}, @@ -228,6 +526,8 @@ sub init_request { PVE::Cluster::cfs_update(); + $self->{result_attributes} = {}; + my $userconfig; # we use this for regression tests foreach my $p (keys %params) { if ($p eq 'userconfig') { @@ -243,6 +543,7 @@ sub init_request { my $ucdata = PVE::Tools::file_get_contents($userconfig); my $cfg = PVE::AccessControl::parse_user_config($userconfig, $ucdata); $self->{user_cfg} = $cfg; + #print Dumper($cfg); } else { my $ucvers = PVE::Cluster::cfs_file_version('user.cfg'); if (!$self->{aclcache} || !defined($self->{aclversion}) || @@ -271,16 +572,16 @@ sub get_client_ip { return $self->{client_ip}; } -sub set_result_count { - my ($self, $count) = @_; +sub set_result_attrib { + my ($self, $key, $value) = @_; - $self->{result_count} = $count; + $self->{result_attributes}->{$key} = $value; } -sub get_result_count { - my ($self) = @_; +sub get_result_attrib { + my ($self, $key) = @_; - return $self->{result_count}; + return $self->{result_attributes}->{$key}; } sub set_language { @@ -334,9 +635,9 @@ sub active_workers { my $thash = {}; # only list task once my $check_task = sub { - my ($task) = @_; + my ($task, $running) = @_; - if (PVE::ProcFSTools::check_process_running($task->{pid}, $task->{pstart})) { + if ($running || PVE::ProcFSTools::check_process_running($task->{pid}, $task->{pstart})) { push @$tlist, $task; } else { delete $task->{pid}; @@ -356,7 +657,7 @@ sub active_workers { $task = PVE::Tools::upid_decode($new_upid); $task->{upid} = $new_upid; $thash->{$new_upid} = $task; - &$check_task($task) if !$nocheck; + &$check_task($task, $nocheck); } @@ -375,7 +676,7 @@ sub active_workers { my @arlist = (); foreach my $task (@ta) { if (!$task->{saved}) { - $archive .= sprintf("$task->{upid} %08X $task->{status}\n", $task->{endtime}); + $archive .= sprintf("%s %08X %s\n", $task->{upid}, $task->{endtime}, $task->{status}); $save = 1; push @arlist, $task; $task->{saved} = 1; @@ -469,14 +770,14 @@ sub check_worker { # STDOUT,STDERR are redirected to the filename returned by upid_decode # NOTE: we simulate running in foreground if ($self->{type} eq 'cli') sub fork_worker { - my ($self, $dtype, $id, $user, $function) = @_; + my ($self, $dtype, $id, $user, $function, $background) = @_; $dtype = 'unknown' if !defined ($dtype); $id = '' if !defined ($id); $user = 'root@pve' if !defined ($user); - my $sync = $self->{type} eq 'cli' ? 1 : 0; + my $sync = ($self->{type} eq 'cli' && !$background) ? 1 : 0; local $SIG{INT} = local $SIG{QUIT} = @@ -531,13 +832,17 @@ sub fork_worker { # same algorythm as used inside SA # STDIN = /dev/null my $fd = fileno (STDIN); - close STDIN; - POSIX::close(0) if $fd != 0; - die "unable to redirect STDIN - $!" - if !open(STDIN, "{type} eq 'ha') { + print "task started by HA resource agent\n"; + } eval { &$function($upid); }; my $err = $@; if ($err) { @@ -649,28 +957,53 @@ sub fork_worker { if ($sync) { my $count; my $outbuf = ''; + my $int_count = 0; eval { - local $SIG{INT} = - local $SIG{QUIT} = - local $SIG{TERM} = sub { die "got interrupt\n"; }; + local $SIG{INT} = local $SIG{QUIT} = local $SIG{TERM} = sub { + # always send signal to all pgrp members + my $kpid = -$cpid; + if ($int_count < 3) { + kill(15, $kpid); # send TERM signal + } else { + kill(9, $kpid); # send KILL signal + } + $int_count++; + }; local $SIG{PIPE} = sub { die "broken pipe\n"; }; - - while (($count = POSIX::read($psync[0], $readbuf, 4096)) && ($count > 0)) { - $outbuf .= $readbuf; - while ($outbuf =~ s/^(([^\010\r\n]*)(\r|\n|(\010)+|\r\n))//s) { - my $line = $1; - my $data = $2; - if ($data =~ m/^TASK OK$/) { - # skip - } elsif ($data =~ m/^TASK ERROR: (.+)$/) { - print STDERR "$1\n"; - } else { - print $line; + + my $select = new IO::Select; + my $fh = IO::Handle->new_from_fd($psync[0], 'r'); + $select->add($fh); + + while ($select->count) { + my @handles = $select->can_read(1); + if (scalar(@handles)) { + my $count = sysread ($handles[0], $readbuf, 4096); + if (!defined ($count)) { + my $err = $!; + die "sync pipe read error: $err\n"; } - if ($outfh) { - print $outfh $line; - $outfh->flush(); + last if $count == 0; # eof + + $outbuf .= $readbuf; + while ($outbuf =~ s/^(([^\010\r\n]*)(\r|\n|(\010)+|\r\n))//s) { + my $line = $1; + my $data = $2; + if ($data =~ m/^TASK OK$/) { + # skip + } elsif ($data =~ m/^TASK ERROR: (.+)$/) { + print STDERR "$1\n"; + } else { + print $line; + } + if ($outfh) { + print $outfh $line; + $outfh->flush(); + } } + } else { + # some commands daemonize without closing stdout + last if !PVE::ProcFSTools::check_process_running($cpid); } } };