add Sys.AccessNetwork privilege

We have some API endpoints that can access the network from the POV of
a Proxmox VE node, like e.g., the one for downloading a template/ISO
image directly to a PVE storage from an HTTP URL, and the matching
query-url-metadata that makes this functionality much more convenient
to use in the UI. But the downside of such calls is naturally that
they basically allow to scan the whole network via HTTP URLs, and
potentially even download some image that the user should not have
access to and adding to a VM that the user controls.

Due to that we limited the exposure of those API endpoints to
Sys.Modify on / (in addition to e.g. basic storage privs) for the
initial addition of the feature, as we were not sure about user
adoption and if a separate privilege could be justified.

Since we got a handful requests like #5254 this justification is now
met, so add a 'Sys.AccessNetwork' privilege.
That name should make it clear that having that privilege will allow
access to the network and the sys(tem) prefix should underline that
it's about the host systems network. Add it such, that it will only be
available for the most powerful of our built-in special roles, namely
the Administration one, besides naturally the all-powerful root@pam
special user.

Admins can then e.g. create new roles that include Sys.AccessNetwork
and Datastore.AllocateTemplate which can then be used for allowing
automation to download images while adhering to the Least Privilege
Principle.

Buglink: https://bugzilla.proxmox.com/show_bug.cgi?id=5254
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reviewed-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 25fc0d94c9d706b5dbdf6df983e4854d8a794f6d..faea70de345bbef2b1e710e8436f91c93e708dde 100644 (file)
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -1065,6 +1065,7 @@ my $privgroups = {
            'Sys.PowerMgmt',
            'Sys.Modify', # edit/change node settings
            'Sys.Incoming', # incoming storage/guest migrations
+           'Sys.AccessNetwork', # for, e.g., downloading ISOs from any URL
        ],
        admin => [
            'Sys.Console',

diff --git a/src/test/perm-test1.pl b/src/test/perm-test1.pl
index 27aadeb31cf2cce5b1ef4218a49801a3603191ce..df9fe901d18c169206114f72a0523d3098379423 100755 (executable)
--- a/src/test/perm-test1.pl
+++ b/src/test/perm-test1.pl
@@ -79,7 +79,7 @@ check_permission(
     . 'Pool.Allocate,Pool.Audit,'
     . 'Realm.Allocate,Realm.AllocateUser,'
     . 'SDN.Allocate,SDN.Audit,SDN.Use,'
-    . 'Sys.Audit,Sys.Console,Sys.Incoming,Sys.Modify,Sys.PowerMgmt,Sys.Syslog,'
+    . 'Sys.AccessNetwork,Sys.Audit,Sys.Console,Sys.Incoming,Sys.Modify,Sys.PowerMgmt,Sys.Syslog,'
     . 'User.Modify,'
     . 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
     . 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'