rpms/fence-agents
6
0
Fork 0
Code Issues Pull Requests Releases Activity

- fence_vmware_rest: detect if the API user has sufficient rights to

Browse Source 
manage the fence device
  Resolves: RHEL-25256
This commit is contained in:
Oyvind Albrigtsen 2024-05-23 13:51:18 +02:00
parent e943caec6d
commit c3c737aac3
2 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
RHEL-25256-fence_vmware_rest-detect-user-sufficient-rights.patch Normal file
View File

@ -0,0 +1,26 @@
From fc7d7c4baef64f510bd3332c9f008d3e1128dc7b Mon Sep 17 00:00:00 2001
From: Peter Varkoly <varkoly@suse.com>
Date: Sun, 11 Feb 2024 09:13:51 +0100
Subject: [PATCH] fence_vmware_rest : monitoring is not detecting if the API
user has sufficient right to manage the fence device. The call
https://{api_host}/api/vcenter/vm is subject to permission checks. If the
delivered list is empty the user has no rights.
---
agents/vmware_rest/fence_vmware_rest.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/agents/vmware_rest/fence_vmware_rest.py b/agents/vmware_rest/fence_vmware_rest.py
index 378771863..9dc9a12f4 100644
--- a/agents/vmware_rest/fence_vmware_rest.py
+++ b/agents/vmware_rest/fence_vmware_rest.py
@@ -60,6 +60,9 @@ def get_list(conn, options):
else:
fail(EC_STATUS)
+ if options.get("--original-action") == "monitor" and not res["value"]:
+ logging.error("API user does not have sufficient rights to manage the power status.")
+ fail(EC_STATUS)
for r in res["value"]:
outlets[r["name"]] = ("", state[r["power_state"]])

9
fence-agents.spec
View File

@ -59,7 +59,7 @@
Name: fence-agents Name: fence-agents
Summary: Set of unified programs capable of host isolation ("fencing") Summary: Set of unified programs capable of host isolation ("fencing")
Version: 4.10.0 Version: 4.10.0
Release: 72%{?alphatag:.%{alphatag}}%{?dist} Release: 73%{?alphatag:.%{alphatag}}%{?dist}
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: https://github.com/ClusterLabs/fence-agents URL: https://github.com/ClusterLabs/fence-agents
Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@ -252,6 +252,7 @@ Patch51: RHEL-14030-2-fence_cisco_mds-undo-metadata-change.patch
Patch52: RHEL-14344-fence_zvmip-2-fix-manpage-formatting.patch Patch52: RHEL-14344-fence_zvmip-2-fix-manpage-formatting.patch
Patch53: RHEL-31488-RHEL-31485-RHEL-31483-fence_aliyun-update.patch Patch53: RHEL-31488-RHEL-31485-RHEL-31483-fence_aliyun-update.patch
Patch54: RHEL-35263-fence_eps-add-fence_epsr2-for-ePowerSwitch-R2-and-newer.patch Patch54: RHEL-35263-fence_eps-add-fence_epsr2-for-ePowerSwitch-R2-and-newer.patch
Patch55: RHEL-25256-fence_vmware_rest-detect-user-sufficient-rights.patch
### HA support libs/utils ### ### HA support libs/utils ###
# all archs # all archs
@ -427,6 +428,7 @@ BuildRequires: %{systemd_units}
%patch -p1 -P 52 %patch -p1 -P 52
%patch -p1 -P 53 %patch -p1 -P 53
%patch -p1 -P 54 -F2 %patch -p1 -P 54 -F2
%patch -p1 -P 55
# prevent compilation of something that won't get used anyway # prevent compilation of something that won't get used anyway
sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac sed -i.orig 's|FENCE_ZVM=1|FENCE_ZVM=0|' configure.ac
@ -1523,6 +1525,11 @@ are located on corosync cluster nodes.
%endif %endif
%changelog %changelog
* Thu May 23 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-73
- fence_vmware_rest: detect if the API user has sufficient rights to
manage the fence device
Resolves: RHEL-25256
* Wed May 15 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-72 * Wed May 15 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-72
- bundled jinja2: fix CVE-2024-34064 - bundled jinja2: fix CVE-2024-34064
Resolves: RHEL-35649 Resolves: RHEL-35649