mirror of
git://git.proxmox.com/git/pve-access-control.git
synced 2025-09-20 17:44:22 +03:00
roles: restrict Permissions.Modify to Administrator
to reduce the chances of accidentally handing out privilege modification privileges. the old default setup of having Permissions.Modify in PVESysAdmin and PVEAdmin weakened the distinction between those roles and Administrator. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
committed by
Thomas Lamprecht
parent
27014b5908
commit
df619a8dc2
@@ -1060,7 +1060,6 @@ my $privgroups = {
|
||||
'Sys.Incoming', # incoming storage/guest migrations
|
||||
],
|
||||
admin => [
|
||||
'Permissions.Modify',
|
||||
'Sys.Console',
|
||||
'Sys.Syslog',
|
||||
],
|
||||
@@ -1118,7 +1117,9 @@ my $privgroups = {
|
||||
},
|
||||
};
|
||||
|
||||
my $valid_privs = {};
|
||||
my $valid_privs = {
|
||||
'Permissions.Modify' => 1, # not contained in a group
|
||||
};
|
||||
|
||||
my $special_roles = {
|
||||
'NoAccess' => {}, # no privileges
|
||||
|
@@ -58,6 +58,10 @@ check_permission('max@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
|
||||
check_permission('alex@pve', '/vms', '');
|
||||
check_permission('alex@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
|
||||
|
||||
# PVEVMAdmin -> no Permissions.Modify!
|
||||
check_permission('alex@pve', '/vms/300', 'VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback');
|
||||
# Administrator -> Permissions.Modify!
|
||||
check_permission('alex@pve', '/vms/400', 'Datastore.Allocate,Datastore.AllocateSpace,Datastore.AllocateTemplate,Datastore.Audit,Group.Allocate,Permissions.Modify,Pool.Allocate,Pool.Audit,Realm.Allocate,Realm.AllocateUser,SDN.Allocate,SDN.Audit,Sys.Audit,Sys.Console,Sys.Incoming,Sys.Modify,Sys.PowerMgmt,Sys.Syslog,User.Modify,VM.Allocate,VM.Audit,VM.Backup,VM.Clone,VM.Config.CDROM,VM.Config.CPU,VM.Config.Cloudinit,VM.Config.Disk,VM.Config.HWType,VM.Config.Memory,VM.Config.Network,VM.Config.Options,VM.Console,VM.Migrate,VM.Monitor,VM.PowerMgmt,VM.Snapshot,VM.Snapshot.Rollback');
|
||||
|
||||
check_roles('max@pve', '/vms/200', 'storage_manager');
|
||||
check_roles('joe@pve', '/vms/200', 'vm_admin');
|
||||
|
@@ -50,7 +50,7 @@ check_roles('max@pve', '/vms/100', 'customer');
|
||||
check_roles('max@pve', '/vms/101', 'vm_admin');
|
||||
|
||||
check_permission('max@pve', '/', '');
|
||||
check_permission('max@pve', '/vms', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console');
|
||||
check_permission('max@pve', '/vms', 'VM.Allocate,VM.Audit,VM.Console');
|
||||
check_permission('max@pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
|
||||
|
||||
check_permission('alex@pve', '/vms', '');
|
||||
@@ -66,7 +66,7 @@ check_roles('max@pve!token', '/vms/200', 'storage_manager');
|
||||
check_roles('max@pve!token2', '/vms/200', 'customer');
|
||||
|
||||
# check intersection -> token has Administrator, but user only vm_admin
|
||||
check_permission('max@pve!token2', '/vms/300', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console,VM.PowerMgmt');
|
||||
check_permission('max@pve!token2', '/vms/300', 'VM.Allocate,VM.Audit,VM.Console,VM.PowerMgmt');
|
||||
|
||||
print "all tests passed\n";
|
||||
|
||||
|
@@ -19,4 +19,6 @@ acl:1:/users:max@pve:Administrator:
|
||||
|
||||
acl:1:/vms/200:@testgroup3:storage_manager:
|
||||
acl:1:/vms/200:@testgroup2:NoAccess:
|
||||
acl:1:/vms/300:alex@pve:PVEVMAdmin:
|
||||
acl:1:/vms/400:alex@pve:Administrator:
|
||||
|
||||
|
@@ -13,7 +13,7 @@ group:testgroup3:max@pve:
|
||||
|
||||
role:storage_manager:Datastore.AllocateSpace,Datastore.Audit:
|
||||
role:customer:VM.Audit,VM.PowerMgmt:
|
||||
role:vm_admin:VM.Audit,VM.Allocate,Permissions.Modify,VM.Console:
|
||||
role:vm_admin:VM.Audit,VM.Allocate,VM.Console:
|
||||
|
||||
acl:1:/vms:@testgroup1:vm_admin:
|
||||
acl:0:/vms/300:max@pve:customer:
|
||||
|
Reference in New Issue
Block a user