Restrict pvemanager default_views per-user

[alyarb]

With rare exception we give some third party partners a login to our PVE cluster. Of course we restrict their permissions to which resource pools they can see and give them only the bare minimum permissions on their VMs.

However, when these restricted users login to the PVE GUI, the default tree view in the left sidebar is "Server View" where they can see all of our nodes and other globals such as storage and VXLAN etc. And that is still the default view for all users.

It offers too much information to a restricted user. (edit: now i can see only nodes are listed, nothing else!)

On PVE 6.x I had modified the pvemanager.lib on all of the nodes thusly:

if (Proxmox.UserName.match(/^(root@pam|ay@pve|james@pve|joey@pve|mw@pve|rob@pve|tim@pve|zack@pve)$/)) { //ONLY @PAM USERS AND EMPLOYEES CAN SEE ALL VIEWS
        var default_views = {
            server: {
                text: gettext('Server View'),
                groups: ['node']
            },
            folder: {
                text: gettext('Folder View'),
                groups: ['type']
            },
            storage: {
                text: gettext('Storage View'),
                groups: ['node'],
                filterfn: function(node) {
                    return node.data.type === 'storage' || node.data.type === 'node';
                }
            },
            pool: {
                text: gettext('Pool View'),
                groups: ['pool'],
                // Pool View only lists VMs and Containers
                filterfn: function(node) {
                    return node.data.type === 'qemu' || node.data.type === 'lxc' || node.data.type === 'openvz' || node.data.type === 'pool';
                }
            }
        };
    } else {// EVERYONE ELSE CAN ONLY SEE POOL VIEW
        var default_views = {
            pool: {
                text: gettext('Pool View'),
                groups: ['pool'],
                // Pool View only lists VMs and Containers
                filterfn: function(node) {
                    return node.data.type === 'qemu' || node.data.type === 'lxc' || node.data.type === 'openvz' || node.data.type === 'pool';
                }
            }
        };

And it served our needs. So that outsiders can only use the Pool View. Now, we've upgraded to 7.2-7 and Ceph Quincy and overall very happy with the outcome.

However, the structure of this section of the 7.x pvemanagerlib.js is a little different, Proxmox.UserName is not defined at this stage of the script, so I can't do conditional stuff on the user name. I am not super proficient in JS, and I'm reluctant to keep modifying it out of stream or have this ongoing.

I would like to at least have the ability to restrict certain users or groups to the Pool View only.

I wanted to come first to you fine folks about the possibility of defining the permitted and default views on the user and/or role permission object, or if a better solution is available I'd love to hear it. Thanks all.

 

[t.lamprecht]

FYI, that was always a pure frontend gate any such external user could just open the developer console of their browser, check the network responses and figure out the whole set of nodes there. Or they could create an early breakpoint and just set the Proxmox.UserName JS variable to faking root@pam and then could see all the info they rightfully get from the API again in the GUI (the backend naturally won't eat that, as the actual security checks there are "the real ones" and must not be tricked by some frontend change).

Mostly telling you to avoid that you have some false sense of security with such a change, the node names or the amount of nodes really shouldn't give away too much information, as that all are available in a cluster is coming from central design of a PVE multi-master cluster, where a guest can reside on any node and VM/CT users get permissions just on the guest, not the node.

However, when these restricted users login to the PVE GUI, the default tree view in the left sidebar is "Server View" where they can see all of our nodes and other globals such as storage and VXLAN etc. And that is still the default view for all users.

Can you describe the use case (or problem) of giving people access to Proxmox VE to a set of people that must not know the node amount and names? What do those partners have to do? Note that Proxmox VE isn't a user facing frontend for hosting and never will be, it's an administrative management interface.

FYI, the storage are in general hidden if they do not have access by having a permission on /storage or /storage/STORE-ID, or the ones in the resource pool you give them access too.
You can hide them all (and make configuration change to use such a storage impossible) by adding a NoAccess "negative" permission to /storage

 

[alyarb]

Thanks for responding. Of course it is not a true security measure, it was just meant to control the perspective of our users and provide no more than the data pertinent to them.

These people can only control the power on/off/reset, console, and snapshots, nothing to do with any particular nodes. That is why we only wanted the Pool View available for them. We know the node is displayed on the VM summary, that isn't a big deal.

 

[thiagotgc]

@alyarb
Did you manage to evolve with this subject?

I am in need of exactly this.

 

[alyarb]

i don't recommend maintaining your own pvemanager.lib.

Maybe PVE 8 will bring it, it's a pretty basic thing.

 

[thiagotgc]

i don't recommend maintaining your own pvemanager.lib.

Maybe PVE 8 will bring it, it's a pretty basic thing.

I'm using PVE 7.x....
But even with your suggested changes, they don't work...

If you got it working I appreciate it if you can share

 

[mjw]

Feature Request: https://bugzilla.proxmox.com/show_bug.cgi?id=5667