From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 1610A1FF183 for ; Wed, 16 Jul 2025 15:12:15 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 10BC510B62; Wed, 16 Jul 2025 15:09:43 +0200 (CEST) From: Gabriel Goller To: pve-devel@lists.proxmox.com Date: Wed, 16 Jul 2025 15:07:55 +0200 Message-Id: <20250716130837.585796-35-g.goller@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250716130837.585796-1-g.goller@proxmox.com> References: <20250716130837.585796-1-g.goller@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.164 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes RCVD_IN_MSPIKE_H2 0.001 Average reputation (+2) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH pve-access-control v5 1/1] permissions: add ACL paths for SDN fabrics X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" From: Stefan Hanreich Add permission path /sdn/fabrics/{fabric_id}. There are currently only SDN-specific permissions for the fabric itself, not the nodes. For displaying / editing the nodes, the existing permissions Sys.Audit or Sys.Modify on /nodes/{node} are required, because they are already used for viewing / editing the network configuration of a node. The node settings mostly revolve around configuring IPs and network interfaces on that node, so we decided to stick with the permission that is already governing that, since it would need to be checked when editing a node anyway. Otherwise, users with access to a fabric node could change parts of the network configuration of arbitrary interfaces that node, circumventing the current permission checks. A separate, SDN-specific, permission would not add much benefit because of that. Signed-off-by: Stefan Hanreich --- src/PVE/AccessControl.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm index 7cd912954c9a..cebb76f765ad 100644 --- a/src/PVE/AccessControl.pm +++ b/src/PVE/AccessControl.pm @@ -1285,6 +1285,8 @@ sub check_path { |/sdn/controllers/[[:alnum:]\_\-]+ |/sdn/dns |/sdn/dns/[[:alnum:]]+ + |/sdn/fabrics + |/sdn/fabrics/[[:alnum:]]+ |/sdn/ipams |/sdn/ipams/[[:alnum:]]+ |/sdn/zones -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel