[pve-devel] [PATCH access-control v4 1/1] add privileges and paths for cluster resource mapping

[Dominik Csapak]

uses the privileges:

Resource.Use
Resource.Modify

on /resource/{TYPE}/{id}

so that we can assign privileges on resource level

this will generate new roles (PVEResourceUser, PVEResourceAdmin)

note that every user with Permissions.Modify on '/' and propagate can add these
new roles to themselves (Administrator and PVEAdmin roles currently have
this privilege)

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
 src/PVE/AccessControl.pm  | 20 +++++++++++++++++++-
 src/PVE/RPCEnvironment.pm |  7 +++++--
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 89b7d90..d093970 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -1159,13 +1159,22 @@ my $privgroups = {
 	    'Pool.Audit',
 	],
     },
+    Resource => {
+	root => [],
+	admin => [
+	    'Resource.Modify',
+	],
+	user => [
+	    'Resource.Use',
+	],
+    },
 };
 
 my $valid_privs = {};
 
 my $special_roles = {
     'NoAccess' => {}, # no privileges
-    'Administrator' => $valid_privs, # all privileges
+    'Administrator' => {}, # all privileges
 };
 
 sub create_roles {
@@ -1175,6 +1184,7 @@ sub create_roles {
 	foreach my $p (@{$cd->{root}}, @{$cd->{admin}},
 		       @{$cd->{user}}, @{$cd->{audit}}) {
 	    $valid_privs->{$p} = 1;
+	    $special_roles->{"Administrator"}->{$p} = 1;
 	}
 	foreach my $p (@{$cd->{admin}}, @{$cd->{user}}, @{$cd->{audit}}) {
 
@@ -1191,6 +1201,11 @@ sub create_roles {
 	}
     }
 
+    # remove Resource.Modify from Administrator and PVEAdmin, only
+    # root at pam and PVEResourceAdmin should be able to use that for now
+    delete $special_roles->{"Administrator"}->{"Resource.Modify"};
+    delete $special_roles->{"PVEAdmin"}->{"Resource.Modify"};
+
     $special_roles->{"PVETemplateUser"} = { 'VM.Clone' => 1, 'VM.Audit' => 1 };
 };
 
@@ -1288,6 +1303,9 @@ sub check_path {
 	|/storage/[[:alnum:]\.\-\_]+
 	|/vms
 	|/vms/[1-9][0-9]{2,}
+	|/resource
+	|/resource/[[:alnum:]\.\-\_]+/
+	|/resource/[[:alnum:]\.\-\_]+/[[:alnum:]\.\-\_]+
     )$!xs;
 }
 
diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
index 8586938..8454939 100644
--- a/src/PVE/RPCEnvironment.pm
+++ b/src/PVE/RPCEnvironment.pm
@@ -137,7 +137,9 @@ sub permissions {
 
     if ($user eq 'root at pam') { # root can do anything
 	my $cfg = $self->{user_cfg};
-	return { map { $_ => 1 } keys %{$cfg->{roles}->{'Administrator'}} };
+	my $permissions = { map { $_ => 1 } keys %{$cfg->{roles}->{'Administrator'}} };
+	$permissions->{"Resource.Modify"} = 1;
+	return $permissions;
     }
 
     if (!defined($path)) {
@@ -187,10 +189,11 @@ sub compute_api_permission {
 	nodes => qr/Sys\.|Permissions\.Modify/,
 	sdn => qr/SDN\.|Permissions\.Modify/,
 	dc => qr/Sys\.Audit|SDN\./,
+	resource => qr/Resource\./,
     };
     map { $res->{$_} = {} } keys %$priv_re_map;
 
-    my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', '/sdn'];
+    my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', '/sdn', '/resource'];
     my $defined_paths = [];
     PVE::AccessControl::iterate_acl_tree("/", $usercfg->{acl_root}, sub {
 	my ($path, $node) = @_;
-- 
2.30.2