[pve-devel] [manager] add permissions to allow non root ceph configuration
Thomas Lamprecht
t.lamprecht at proxmox.com
Mon Feb 8 14:51:38 CET 2016
Do not only allow root at pam to admin ceph server as some user do not
want to allow root logins and users with the Sys.Modify permission
should be able to modify ceph related stuff.
We use basically the following permissions:
Sys.Modify:
for any delete, add, modify action (POST, PUT, DELETE)
Sys.Audit and Datastore.Audit:
for any status/information view action (GET)
Sys.Log:
for viewing the Ceph log (was already implemented)
We have two exceptions creating and destroying osds. Those may only
be done by 'root at pam' for security reasons.
Also show users with any of those capabilities the ceph tab in the
web GUI.
Addresses bug#818
---
PVE/API2/Ceph.pm | 51 ++++++++++++++++++++++++++++++++++++++++++++++
www/manager/node/Config.js | 4 ++++
2 files changed, 55 insertions(+)
diff --git a/PVE/API2/Ceph.pm b/PVE/API2/Ceph.pm
index e831989..786eecf 100644
--- a/PVE/API2/Ceph.pm
+++ b/PVE/API2/Ceph.pm
@@ -61,6 +61,9 @@ __PACKAGE__->register_method ({
description => "Get Ceph osd list/tree.",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -378,6 +381,9 @@ __PACKAGE__->register_method ({
description => "ceph osd in",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Modify' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -414,6 +420,9 @@ __PACKAGE__->register_method ({
description => "ceph osd out",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Modify' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -486,6 +495,9 @@ __PACKAGE__->register_method ({
method => 'GET',
description => "Directory index.",
permissions => { user => 'all' },
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -527,6 +539,9 @@ __PACKAGE__->register_method ({
description => "List local disks.",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -588,6 +603,9 @@ __PACKAGE__->register_method ({
name => 'config',
path => 'config',
method => 'GET',
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
+ },
description => "Get Ceph configuration.",
parameters => {
additionalProperties => 0,
@@ -613,6 +631,9 @@ __PACKAGE__->register_method ({
description => "Get Ceph monitor list.",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -679,6 +700,9 @@ __PACKAGE__->register_method ({
description => "Create initial ceph default configuration and setup symlinks.",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Modify' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -788,6 +812,9 @@ __PACKAGE__->register_method ({
description => "Create Ceph Monitor",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Modify' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -915,6 +942,9 @@ __PACKAGE__->register_method ({
description => "Destroy Ceph monitor.",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Modify' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -980,6 +1010,9 @@ __PACKAGE__->register_method ({
description => "Stop ceph services.",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Modify' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -1027,6 +1060,9 @@ __PACKAGE__->register_method ({
description => "Start ceph services.",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Modify' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -1074,6 +1110,9 @@ __PACKAGE__->register_method ({
description => "Get ceph status.",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -1097,6 +1136,9 @@ __PACKAGE__->register_method ({
description => "List all pools.",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -1159,6 +1201,9 @@ __PACKAGE__->register_method ({
description => "Create POOL",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Modify' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -1263,6 +1308,9 @@ __PACKAGE__->register_method ({
description => "Destroy pool",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Modify' ]],
+ },
parameters => {
additionalProperties => 0,
properties => {
@@ -1300,6 +1348,9 @@ __PACKAGE__->register_method ({
description => "Get OSD crush map",
proxyto => 'node',
protected => 1,
+ permissions => {
+ check => ['perm', '/', [ 'Sys.Audit', 'Datastore.Audit' ], any => 1],
+ },
parameters => {
additionalProperties => 0,
properties => {
diff --git a/www/manager/node/Config.js b/www/manager/node/Config.js
index e6c7ae1..bc0494e 100644
--- a/www/manager/node/Config.js
+++ b/www/manager/node/Config.js
@@ -197,6 +197,10 @@ Ext.define('PVE.node.Config', {
nodename: nodename
}
]);
+ }
+
+ if (caps.nodes['Sys.Modify'] || caps.nodes['Sys.Audit'] ||
+ caps.nodes['Sys.Log']) {
me.items.push([{
title: 'Ceph',
itemId: 'ceph',
--
2.1.4
More information about the pve-devel
mailing list