The privilege VM.Monitor has a very ambiguous name and is dropped.
Most of the API endpoints using it are for the QEMU guest agent
commands, the only other place is access to the QEMU HMP monitor.
1. Introduce dedicated, more fine-grained privileges for the guest
agent commands:
There is a basic VM.GuestAgent.Audit privilege for read-only,
informational commands.
There are dedicated privileges VM.GuestAgent.File{Read,Write} for the
file-{read,write} commands. There is a separate
VM.GuestAgent.FileSystemMgmt privilege for filesystem freeze, thaw and
trim.
The VM.GuestAgent.Unrestricted privilege is to allow all guest agent
operations, in particular also execution of arbitrary commands with
guest-exec.
2. For access to the QEMU HMP monitor, only the 'info' and 'help'
commands were usable without an additional Sys.Modify privilege. Since
the information accessible via 'info' is very low-level and often
related to the QEMU process on the system, requiring Sys.Audit seems
natural.
These are breaking changes. A check in pve8to9 is provided.
qemu-server patch "api: monitor: improve permission handling" and
manager patch "pve8to9: remove outdated checks for user roles" can
be applied independently from the rest of the series.
New qemu-server depends on new access-control, new access-control
breaks old qemu-server.
access-control:
Fiona Ebner (2):
add VM.GuestAgent privileges
privileges: drop VM.Monitor
src/PVE/AccessControl.pm | 7 +++++--
src/test/perm-test1.pl | 8 ++++++--
2 files changed, 11 insertions(+), 4 deletions(-)
qemu-server:
Fiona Ebner (3):
api: agent: use more specific guest agent privileges
api: monitor: improve permission handling
api: monitor: require Sys.Audit or Sys.Modify privilege
src/PVE/API2/Qemu.pm | 34 ++++--
src/PVE/API2/Qemu/Agent.pm | 66 +++++++++--
src/PVE/API2/Qemu/HMPPerms.pm | 207 ++++++++++++++++++++++++++++++++++
src/PVE/API2/Qemu/Makefile | 2 +-
4 files changed, 289 insertions(+), 20 deletions(-)
create mode 100644 src/PVE/API2/Qemu/HMPPerms.pm
manager:
Fiona Ebner (2):
pve8to9: remove outdated checks for user roles
pve8to9: check for to-be-dropped VM.Monitor privilege in custom roles
PVE/CLI/pve8to9.pm | 40 ++++++++++++++++------------------------
1 file changed, 16 insertions(+), 24 deletions(-)
docs:
Fiona Ebner (2):
user management: privileges: document new VM guest agent privileges
user management: privileges: remove reference to dropped VM.Monitor
privilege
pveum.adoc | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
Summary over all repositories:
8 files changed, 322 insertions(+), 49 deletions(-)
--
Generated by git-murpp 0.5.0
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
