- fence_vmware_rest: detect if the API user has sufficient rights to

manage the fence device Resolves: RHEL-25256
2024-05-23 13:51:18 +02:00 · 2024-05-23 13:51:18 +02:00 · c3c737aac3
commit c3c737aac3
parent e943caec6d
2 changed files with 34 additions and 1 deletions
--- a/RHEL-25256-fence_vmware_rest-detect-user-sufficient-rights.patch
+++ b/RHEL-25256-fence_vmware_rest-detect-user-sufficient-rights.patch
@ -0,0 +1,26 @@
+From fc7d7c4baef64f510bd3332c9f008d3e1128dc7b Mon Sep 17 00:00:00 2001
+From: Peter Varkoly <varkoly@suse.com>
+Date: Sun, 11 Feb 2024 09:13:51 +0100
+Subject: [PATCH] fence_vmware_rest : monitoring is not detecting if the API
+ user has sufficient right to manage the fence device. The call
+ https://{api_host}/api/vcenter/vm is subject to permission checks. If the
+ delivered list is empty the user has no rights.
+
+---
+ agents/vmware_rest/fence_vmware_rest.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/agents/vmware_rest/fence_vmware_rest.py b/agents/vmware_rest/fence_vmware_rest.py
+index 378771863..9dc9a12f4 100644
+--- a/agents/vmware_rest/fence_vmware_rest.py
+++ b/agents/vmware_rest/fence_vmware_rest.py
+@@ -60,6 +60,9 @@ def get_list(conn, options):
+ 		else:
+ 			fail(EC_STATUS)
+ 
+	if options.get("--original-action") == "monitor" and not res["value"]:
+		logging.error("API user does not have sufficient rights to manage the power status.")
+		fail(EC_STATUS)
+ 	for r in res["value"]:
+ 		outlets[r["name"]] = ("", state[r["power_state"]])
+ 
--- a/fence-agents.spec
+++ b/fence-agents.spec
@ -59,7 +59,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 72%{?alphatag:.%{alphatag}}%{?dist}
+Release: 73%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@ -252,6 +252,7 @@ Patch51: RHEL-14030-2-fence_cisco_mds-undo-metadata-change.patch
 Patch52: RHEL-14344-fence_zvmip-2-fix-manpage-formatting.patch
 Patch53: RHEL-31488-RHEL-31485-RHEL-31483-fence_aliyun-update.patch
 Patch54: RHEL-35263-fence_eps-add-fence_epsr2-for-ePowerSwitch-R2-and-newer.patch
+Patch55: RHEL-25256-fence_vmware_rest-detect-user-sufficient-rights.patch

 ### HA support libs/utils ###
 # all archs
@ -427,6 +428,7 @@ BuildRequires: %{systemd_units}
 %patch -p1 -P 52
 %patch -p1 -P 53
 %patch -p1 -P 54 -F2
+%patch -p1 -P 55

 # prevent compilation of something that won't get used anyway
 sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac
@ -1523,6 +1525,11 @@ are located on corosync cluster nodes.
 %endif

 %changelog
+* Thu May 23 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-73
+- fence_vmware_rest: detect if the API user has sufficient rights to
+  manage the fence device
+  Resolves: RHEL-25256
+
 * Wed May 15 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-72
 - bundled jinja2: fix CVE-2024-34064
  Resolves: RHEL-35649