From e842fec5e002c399e56222a447878597a0315845 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Mon, 12 Nov 2018 17:50:14 +0100 Subject: [PATCH] fix #233: return cluster name on successful login If a cluster is configured then return the cluster name on successful login - if the user has Sys.Audit privileges on the '/' path (same as for returning cluster info, like the join info path uses) This is more for the reason that some admins do not want to expose this to lesser privileged (API) users. While yes, you can theoretically launch a (DDOS resembling) attack which stresses the corosync network if you know the cluster_name (it's still encrypted but you can back-calculate the multicast group membership info) you need to be able to send multicast traffic on the corosync LAN - which can be seen as a pretty big privilege anyway. But, for now reduce permissions - we can more easily loosen them than tighten without causing issues anyway. Signed-off-by: Thomas Lamprecht --- PVE/API2/AccessControl.pm | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/PVE/API2/AccessControl.pm b/PVE/API2/AccessControl.pm index 414da3a..93f384a 100644 --- a/PVE/API2/AccessControl.pm +++ b/PVE/API2/AccessControl.pm @@ -7,6 +7,7 @@ use PVE::Exception qw(raise raise_perm_exc); use PVE::SafeSyslog; use PVE::RPCEnvironment; use PVE::Cluster qw(cfs_read_file); +use PVE::Corosync; use PVE::RESTHandler; use PVE::AccessControl; use PVE::JSONSchema qw(get_standard_option); @@ -246,6 +247,7 @@ __PACKAGE__->register_method ({ username => { type => 'string' }, ticket => { type => 'string', optional => 1}, CSRFPreventionToken => { type => 'string', optional => 1 }, + clustername => { type => 'string', optional => 1 }, } }, code => sub { @@ -277,6 +279,16 @@ __PACKAGE__->register_method ({ $res->{cap} = &$compute_api_permission($rpcenv, $username); + if (PVE::Corosync::check_conf_exists(1)) { + if ($rpcenv->check($username, '/', ['Sys.Audit'], 1)) { + my $conf = cfs_read_file('corosync.conf'); + my $totem = PVE::Corosync::totem_config($conf); + if ($totem->{cluster_name}) { + $res->{clustername} = $totem->{cluster_name}; + } + } + } + PVE::Cluster::log_msg('info', 'root@pam', "successful auth for user '$username'"); return $res; -- 2.39.2