[pve-devel] [PATCH manager] add permissions to allow non root ceph configuration
Wolfgang Bumiller
w.bumiller at proxmox.com
Tue Feb 2 10:48:27 CET 2016
The *.Audit parts are definitely fine.
Note that while Sys.Console shows the Console tab, the console api call
itself also has a hardcoded check for realm == 'pam' and spawns a login
prompt for non-root users, so Sys.Console alone might not be equivalent
after all.
So there's still the question whether we define Sys.Console to be enough
or want one or more new ceph specific permission types? Note that
'createosd' for instance takes a block device name as parameter and is
therefore potentially dangerous.
In any case we need to carefully audit all the run_command calls in the
ceph API calls to make sure no arbitrary shell commands can be leaked
into it via user-input.
On Mon, Feb 01, 2016 at 12:49:47PM +0100, Thomas Lamprecht wrote:
> Do not only allow root at pam to admin ceph server as some user do not
> want to allow root logins and users with the Sys.Console permission
> can open a root host shell and thus indirectly admin ceph, thus
> make it sane for them.
>
> We use basically the following permissions:
> Sys.Console:
> for any delete, add, modify action (POST, PUT, DELETE)
> Sys.Audit and Datastore.Audit:
> for any status/information view action (GET)
> Sys.Log:
> for viewing the Ceph log (was already implemented)
>
> Also show users with any of those capabilities the ceph tab in the
> web GUI.
>
> Addresses bug#818
>
> Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
> ---
> PVE/API2/Ceph.pm | 57 ++++++++++++++++++++++++++++++++++++++++++++++
> www/manager/node/Config.js | 4 ++++
> 2 files changed, 61 insertions(+)
>
> diff --git a/PVE/API2/Ceph.pm b/PVE/API2/Ceph.pm
> index e831989..6e603e1 100644
> --- a/PVE/API2/Ceph.pm
> +++ b/PVE/API2/Ceph.pm
> @@ -61,6 +61,9 @@ __PACKAGE__->register_method ({
> description => "Get Ceph osd list/tree.",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -157,6 +160,9 @@ __PACKAGE__->register_method ({
> description => "Create OSD",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Console' ]],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -257,6 +263,9 @@ __PACKAGE__->register_method ({
> description => "Destroy OSD",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Console' ]],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -378,6 +387,9 @@ __PACKAGE__->register_method ({
> description => "ceph osd in",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Console' ]],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -414,6 +426,9 @@ __PACKAGE__->register_method ({
> description => "ceph osd out",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Console' ]],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -486,6 +501,9 @@ __PACKAGE__->register_method ({
> method => 'GET',
> description => "Directory index.",
> permissions => { user => 'all' },
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -527,6 +545,9 @@ __PACKAGE__->register_method ({
> description => "List local disks.",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -588,6 +609,9 @@ __PACKAGE__->register_method ({
> name => 'config',
> path => 'config',
> method => 'GET',
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> + },
> description => "Get Ceph configuration.",
> parameters => {
> additionalProperties => 0,
> @@ -613,6 +637,9 @@ __PACKAGE__->register_method ({
> description => "Get Ceph monitor list.",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -679,6 +706,9 @@ __PACKAGE__->register_method ({
> description => "Create initial ceph default configuration and setup symlinks.",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Console' ]],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -788,6 +818,9 @@ __PACKAGE__->register_method ({
> description => "Create Ceph Monitor",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Console' ]],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -915,6 +948,9 @@ __PACKAGE__->register_method ({
> description => "Destroy Ceph monitor.",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Console' ]],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -980,6 +1016,9 @@ __PACKAGE__->register_method ({
> description => "Stop ceph services.",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Console' ]],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -1027,6 +1066,9 @@ __PACKAGE__->register_method ({
> description => "Start ceph services.",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Console' ]],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -1074,6 +1116,9 @@ __PACKAGE__->register_method ({
> description => "Get ceph status.",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -1097,6 +1142,9 @@ __PACKAGE__->register_method ({
> description => "List all pools.",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -1159,6 +1207,9 @@ __PACKAGE__->register_method ({
> description => "Create POOL",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Console' ]],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -1263,6 +1314,9 @@ __PACKAGE__->register_method ({
> description => "Destroy pool",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Console' ]],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> @@ -1300,6 +1354,9 @@ __PACKAGE__->register_method ({
> description => "Get OSD crush map",
> proxyto => 'node',
> protected => 1,
> + permissions => {
> + check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
> + },
> parameters => {
> additionalProperties => 0,
> properties => {
> diff --git a/www/manager/node/Config.js b/www/manager/node/Config.js
> index e6c7ae1..82ae0a0 100644
> --- a/www/manager/node/Config.js
> +++ b/www/manager/node/Config.js
> @@ -197,6 +197,10 @@ Ext.define('PVE.node.Config', {
> nodename: nodename
> }
> ]);
> + }
> +
> + if (caps.nodes['Sys.Console'] || caps.nodes['Sys.Audit'] ||
> + caps.nodes['Sys.Log']) {
> me.items.push([{
> title: 'Ceph',
> itemId: 'ceph',
> --
> 2.1.4
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list