mirror of
git://git.proxmox.com/git/pve-access-control.git
synced 2025-01-06 13:17:54 +03:00
add Sys.AccessNetwork privilege
We have some API endpoints that can access the network from the POV of a Proxmox VE node, like e.g., the one for downloading a template/ISO image directly to a PVE storage from an HTTP URL, and the matching query-url-metadata that makes this functionality much more convenient to use in the UI. But the downside of such calls is naturally that they basically allow to scan the whole network via HTTP URLs, and potentially even download some image that the user should not have access to and adding to a VM that the user controls. Due to that we limited the exposure of those API endpoints to Sys.Modify on / (in addition to e.g. basic storage privs) for the initial addition of the feature, as we were not sure about user adoption and if a separate privilege could be justified. Since we got a handful requests like #5254 this justification is now met, so add a 'Sys.AccessNetwork' privilege. That name should make it clear that having that privilege will allow access to the network and the sys(tem) prefix should underline that it's about the host systems network. Add it such, that it will only be available for the most powerful of our built-in special roles, namely the Administration one, besides naturally the all-powerful root@pam special user. Admins can then e.g. create new roles that include Sys.AccessNetwork and Datastore.AllocateTemplate which can then be used for allowing automation to download images while adhering to the Least Privilege Principle. Buglink: https://bugzilla.proxmox.com/show_bug.cgi?id=5254 Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Reviewed-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
parent
742a7b6cbd
commit
36c18144de
@ -1065,6 +1065,7 @@ my $privgroups = {
|
|||||||
'Sys.PowerMgmt',
|
'Sys.PowerMgmt',
|
||||||
'Sys.Modify', # edit/change node settings
|
'Sys.Modify', # edit/change node settings
|
||||||
'Sys.Incoming', # incoming storage/guest migrations
|
'Sys.Incoming', # incoming storage/guest migrations
|
||||||
|
'Sys.AccessNetwork', # for, e.g., downloading ISOs from any URL
|
||||||
],
|
],
|
||||||
admin => [
|
admin => [
|
||||||
'Sys.Console',
|
'Sys.Console',
|
||||||
|
@ -79,7 +79,7 @@ check_permission(
|
|||||||
. 'Pool.Allocate,Pool.Audit,'
|
. 'Pool.Allocate,Pool.Audit,'
|
||||||
. 'Realm.Allocate,Realm.AllocateUser,'
|
. 'Realm.Allocate,Realm.AllocateUser,'
|
||||||
. 'SDN.Allocate,SDN.Audit,SDN.Use,'
|
. 'SDN.Allocate,SDN.Audit,SDN.Use,'
|
||||||
. 'Sys.Audit,Sys.Console,Sys.Incoming,Sys.Modify,Sys.PowerMgmt,Sys.Syslog,'
|
. 'Sys.AccessNetwork,Sys.Audit,Sys.Console,Sys.Incoming,Sys.Modify,Sys.PowerMgmt,Sys.Syslog,'
|
||||||
. 'User.Modify,'
|
. 'User.Modify,'
|
||||||
. 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
|
. 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,'
|
||||||
. 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
|
. 'VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,'
|
||||||
|
Loading…
Reference in New Issue
Block a user