[pve-devel] [PATCH cluster] Require Sys.Audit to read the cluster configuration

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Mar 7 12:21:23 CET 2017


Looks good to me, adding new permissions is it not worth it for now,
so I'd would have done the same here.

On 03/06/2017 11:42 AM, Emmanuel Kasper wrote:
> Up to now only root could see the corosync cluster config.
>
> Sys.Audit is the same permission required
> for reading the HA Config and the HA Resources Config.
> ---
> NB: a patch for the permission description in user management will folow
>   data/PVE/API2/ClusterConfig.pm | 9 +++++++++
>   1 file changed, 9 insertions(+)
>
> diff --git a/data/PVE/API2/ClusterConfig.pm b/data/PVE/API2/ClusterConfig.pm
> index ab807bd..65b376f 100644
> --- a/data/PVE/API2/ClusterConfig.pm
> +++ b/data/PVE/API2/ClusterConfig.pm
> @@ -16,6 +16,9 @@ __PACKAGE__->register_method({
>       path => '',
>       method => 'GET',
>       description => "Directory index.",
> +    permissions => {
> +	check => ['perm', '/', [ 'Sys.Audit' ]],
> +    },
>       parameters => {
>   	additionalProperties => 0,
>   	properties => {},
> @@ -44,6 +47,9 @@ __PACKAGE__->register_method({
>       path => 'nodes',
>       method => 'GET',
>       description => "Corosync node list.",
> +    permissions => {
> +	check => ['perm', '/', [ 'Sys.Audit' ]],
> +    },
>       parameters => {
>   	additionalProperties => 0,
>   	properties => {},
> @@ -73,6 +79,9 @@ __PACKAGE__->register_method({
>       path => 'totem',
>       method => 'GET',
>       description => "Get corosync totem protocol settings.",
> +    permissions => {
> +	check => ['perm', '/', [ 'Sys.Audit' ]],
> +    },
>       parameters => {
>   	additionalProperties => 0,
>   	properties => {},





More information about the pve-devel mailing list