]> git.proxmox.com Git - pve-access-control.git/commitdiff
projects / pve-access-control.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a62d78d)
add privileges and paths for cluster resource mapping
authorDominik Csapak <d.csapak@proxmox.com>
Tue, 6 Jun 2023 13:52:00 +0000 (15:52 +0200)
committerThomas Lamprecht <t.lamprecht@proxmox.com>
Wed, 7 Jun 2023 16:58:33 +0000 (18:58 +0200)
uses the privileges:

Mapping.Use
Mapping.Modify
Mapping.Audit

on /mapping/{TYPE}/{id}

so that we can assign privileges on resource level

this will generate new roles (PVEMappingUser, PVEMappingAdmin,
PVEMappingAuditor)

note that every user with Permissions.Modify on '/' and propagate can add these
new roles to themselves

Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
src/PVE/AccessControl.pm patch | blob | blame | history
src/PVE/RPCEnvironment.pm patch | blob | blame | history

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index e234d2452e5b25bbffcda7fcb6628d9850f9da25..5b5179ce1545e1390dc41bf89208718ffab2aab2 100644 (file)
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -1118,6 +1118,18 @@ my $privgroups = {
            'Pool.Audit',
        ],
     },
+    Mapping => {
+       root => [],
+       admin => [
+           'Mapping.Modify',
+       ],
+       user => [
+           'Mapping.Use',
+       ],
+       audit => [
+           'Mapping.Audit',
+       ],
+    },
 };
 
 my $valid_privs = {
@@ -1152,6 +1164,10 @@ sub create_roles {
        }
     }
 
+    # remove Mapping.Modify from PVEAdmin, only Administrator, root@pam and
+    # PVEMappingAdmin should be able to use that for now
+    delete $special_roles->{"PVEAdmin"}->{"Mapping.Modify"};
+
     $special_roles->{"PVETemplateUser"} = { 'VM.Clone' => 1, 'VM.Audit' => 1 };
 };
 
@@ -1251,6 +1267,9 @@ sub check_path {
        |/storage/[[:alnum:]\.\-\_]+
        |/vms
        |/vms/[1-9][0-9]{2,}
+       |/mapping
+       |/mapping/[[:alnum:]\.\-\_]+
+       |/mapping/[[:alnum:]\.\-\_]+/[[:alnum:]\.\-\_]+
     )$!xs;
 }
 
diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
index 075099d9fe617d6d5d38975ce5e45429d09877ab..5eb339a4b92dcdbfc87d3b68ebf649dbab14fd7d 100644 (file)
--- a/src/PVE/RPCEnvironment.pm
+++ b/src/PVE/RPCEnvironment.pm
@@ -187,10 +187,11 @@ sub compute_api_permission {
        nodes => qr/Sys\.|Permissions\.Modify/,
        sdn => qr/SDN\.|Permissions\.Modify/,
        dc => qr/Sys\.Audit|Sys\.Modify|SDN\./,
+       mapping => qr/Mapping\.|Permissions.Modify/,
     };
     map { $res->{$_} = {} } keys %$priv_re_map;
 
-    my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', '/sdn'];
+    my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', '/sdn', '/mapping'];
     my $defined_paths = [];
     PVE::AccessControl::iterate_acl_tree("/", $usercfg->{acl_root}, sub {
        my ($path, $node) = @_;
Access control framework