[pdm-devel] [PATCH datacenter-manager 0/3] fix #6901: allow non root users to access the EVPN dashboard

[pdm-devel] [PATCH datacenter-manager 0/3] fix #6901: allow non root users to access the EVPN dashboard

[Shan Shaji]

When a non-root user tried to access the EVPN section, the API was
returning a "403: permission check failed" error. To fix this, explicit
permission checks have been added for the `/zones`, `/vnets`, and
`/controllers` endpoints.

Now, every authenticated user can access these endpoints however, the user
must have at least the Resource.Audit permission under `/resource`.
Remotes are also filtered based on the user’s access. Lists will only be
fetched from remotes for which the user has at least the
`Resource.Audit` permission on `/remote/{remote_name}`.

Shan Shaji (3):
  fix #6901: api: add explicit permission check for controllers list
  fix #6901: api: add explicit permission check for vnets list
  fix #6901: api: add explicit permission check for zones list

 server/src/api/sdn/controllers.rs | 30 ++++++++++++++++++++++++++----
 server/src/api/sdn/vnets.rs       | 29 ++++++++++++++++++++++++++---
 server/src/api/sdn/zones.rs       | 28 +++++++++++++++++++++++++---
 3 files changed, 77 insertions(+), 10 deletions(-)

-- 
2.47.3



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

[pdm-devel] [PATCH datacenter-manager 1/3] fix #6901: api: add explicit permission check for controllers list

[Shan Shaji]

When a non-root user tried to access the EVPN section, the API was
throwing "403: permission check failed" error. To fix this, add
explicit permission check for the `/controller` endpoint.

Now every authenticated user can access the endpoint however, the user
needs to have at least `Resource.Audit` permission under `/resource`.
Only the controllers from remotes which the user has `Resource.Audit`
privilege on `/remote/{remote_name}` will be included in the returned
list.

Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
 server/src/api/sdn/controllers.rs | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/server/src/api/sdn/controllers.rs b/server/src/api/sdn/controllers.rs
index 271397a..649d668 100644
--- a/server/src/api/sdn/controllers.rs
+++ b/server/src/api/sdn/controllers.rs
@@ -1,10 +1,11 @@
 use std::collections::HashSet;
 
-use anyhow::Error;
+use anyhow::{format_err, Error};
 
 use pbs_api_types::REMOTE_ID_SCHEMA;
-use pdm_api_types::{remotes::RemoteType, sdn::ListController};
-use proxmox_router::Router;
+use pdm_api_types::{remotes::RemoteType, sdn::ListController, Authid, PRIV_RESOURCE_AUDIT};
+use proxmox_access_control::CachedUserInfo;
+use proxmox_router::{http_bail, Permission, Router, RpcEnvironment};
 use proxmox_schema::api;
 use pve_api_types::ListControllersType;
 
@@ -49,6 +50,12 @@ pub const ROUTER: Router = Router::new().get(&API_METHOD_LIST_CONTROLLERS);
             type: ListController,
         },
     },
+    access: {
+        permission: &Permission::Anybody,
+        description: "The user needs to have at least the `Resource.Audit` privilege under `/resource`.
+        Only controllers from remotes for which the user has `Resource.Audit` on `/remote/{remote_name}`
+        will be included in the returned list."
+    }
 )]
 /// Query controllers of remotes with optional filtering options
 pub async fn list_controllers(
@@ -56,10 +63,25 @@ pub async fn list_controllers(
     running: Option<bool>,
     ty: Option<ListControllersType>,
     remotes: Option<HashSet<String>>,
+    rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<Vec<ListController>, Error> {
+    let user_info = CachedUserInfo::new()?;
+
+    let auth_id: Authid = rpcenv
+        .get_auth_id()
+        .ok_or_else(|| format_err!("no authid available"))?
+        .parse()?;
+
+    if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? {
+        http_bail!(FORBIDDEN, "user has no access to resources");
+    }
+
     let (remote_config, _) = pdm_config::remotes::config()?;
+    let authorized_remotes = remote_config.into_iter().filter(|(remote_name, _)| {
+        user_info.lookup_privs(&auth_id, &["resource", &remote_name]) & PRIV_RESOURCE_AUDIT != 0
+    });
 
-    let filtered_remotes = remote_config.into_iter().filter_map(|(_, remote)| {
+    let filtered_remotes = authorized_remotes.filter_map(|(_, remote)| {
         if remote.ty == RemoteType::Pve
             && remotes
                 .as_ref()
-- 
2.47.3



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

[pdm-devel] [PATCH datacenter-manager 2/3] fix #6901: api: add explicit permission check for vnets list

[Shan Shaji]

When a non-root user tried to access the EVPN section, the API was
throwing "403: permission check failed" error. To fix this, add
explicit permission check for the `/vnets` endpoint.

Now every authenticated user can access the endpoint however, the user
needs to have at least `Resource.Audit` permission under `/resource`.
Only the vnets from remotes which the user has `Resource.Audit`
privilege on `/remote/{remote_name}` will be included in the returned
list.

Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
 server/src/api/sdn/vnets.rs | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/server/src/api/sdn/vnets.rs b/server/src/api/sdn/vnets.rs
index a8092cf..a2dfdb4 100644
--- a/server/src/api/sdn/vnets.rs
+++ b/server/src/api/sdn/vnets.rs
@@ -1,3 +1,4 @@
+use core::option::Option::Some;
 use std::collections::HashSet;
 
 use anyhow::{format_err, Error};
@@ -5,10 +6,11 @@ use pbs_api_types::REMOTE_ID_SCHEMA;
 use pdm_api_types::{
     remotes::RemoteType,
     sdn::{CreateVnetRemote, ListVnet, SDN_ID_SCHEMA, VXLAN_ID_SCHEMA},
-    Authid,
+    Authid, PRIV_RESOURCE_AUDIT,
 };
+use proxmox_access_control::CachedUserInfo;
 use proxmox_rest_server::WorkerTask;
-use proxmox_router::{Router, RpcEnvironment};
+use proxmox_router::{http_bail, Permission, Router, RpcEnvironment};
 use proxmox_schema::api;
 use pve_api_types::{CreateVnet, SdnVnetType};
 
@@ -52,16 +54,37 @@ pub const ROUTER: Router = Router::new()
             type: ListVnet,
         },
     },
+    access: {
+        permission: &Permission::Anybody,
+        description: "The user needs to have at least the `Resource.Audit` privilege under `/resource`.
+        Only vnets from remotes for which the user has `Resource.Audit` on `/remote/{remote_name}`
+        will be included in the returned list."
+    }
 )]
 /// Query VNets of PVE remotes with optional filtering options
 async fn list_vnets(
     pending: Option<bool>,
     running: Option<bool>,
     remotes: Option<HashSet<String>>,
+    rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<Vec<ListVnet>, Error> {
+    let user_info = CachedUserInfo::new()?;
+
+    let auth_id: Authid = rpcenv
+        .get_auth_id()
+        .ok_or_else(|| format_err!("no authid available"))?
+        .parse()?;
+
+    if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? {
+        http_bail!(FORBIDDEN, "user has no access to resources");
+    }
+
     let (remote_config, _) = pdm_config::remotes::config()?;
+    let authorized_remotes = remote_config.into_iter().filter(|(remote_name, _)| {
+        user_info.lookup_privs(&auth_id, &["resource", &remote_name]) & PRIV_RESOURCE_AUDIT != 0
+    });
 
-    let filtered_remotes = remote_config.into_iter().filter_map(|(_, remote)| {
+    let filtered_remotes = authorized_remotes.filter_map(|(_, remote)| {
         if remote.ty == RemoteType::Pve
             && remotes
                 .as_ref()
-- 
2.47.3



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

[pdm-devel] [PATCH datacenter-manager 3/3] fix #6901: api: add explicit permission check for zones list

[Shan Shaji]

When a non-root user tried to access the EVPN section, the API was
throwing "403: permission check failed" error. To fix this, add
explicit permission check for the `/zones` endpoint.

Now every authenticated user can access the endpoint however, the user
needs to have at least `Resource.Audit` permission under `/resource`.
Only the zones from remotes which the user has `Resource.Audit`
privilege on `/remote/{remote_name}` will be included in the returned
list.

Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---
 server/src/api/sdn/zones.rs | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/server/src/api/sdn/zones.rs b/server/src/api/sdn/zones.rs
index 5e0ec54..60fae20 100644
--- a/server/src/api/sdn/zones.rs
+++ b/server/src/api/sdn/zones.rs
@@ -6,10 +6,11 @@ use pbs_api_types::REMOTE_ID_SCHEMA;
 use pdm_api_types::{
     remotes::RemoteType,
     sdn::{CreateZoneRemote, ListZone, SDN_ID_SCHEMA, VXLAN_ID_SCHEMA},
-    Authid,
+    Authid, PRIV_RESOURCE_AUDIT,
 };
+use proxmox_access_control::CachedUserInfo;
 use proxmox_rest_server::WorkerTask;
-use proxmox_router::{Router, RpcEnvironment};
+use proxmox_router::{http_bail, Permission, Router, RpcEnvironment};
 use proxmox_schema::api;
 use pve_api_types::{CreateZone, ListZonesType};
 
@@ -57,6 +58,12 @@ pub const ROUTER: Router = Router::new()
             type: ListZone,
         },
     },
+    access: {
+        permission: &Permission::Anybody,
+        description: "The user needs to have at least the `Resource.Audit` privilege under `/resource`.
+        Only zones from remotes for which the user has `Resource.Audit` on `/remote/{remote_name}`
+        will be included in the returned list."
+    }
 )]
 /// Query zones of remotes with optional filtering options
 pub async fn list_zones(
@@ -64,10 +71,25 @@ pub async fn list_zones(
     running: Option<bool>,
     ty: Option<ListZonesType>,
     remotes: Option<HashSet<String>>,
+    rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<Vec<ListZone>, Error> {
+    let user_info = CachedUserInfo::new()?;
+
+    let auth_id: Authid = rpcenv
+        .get_auth_id()
+        .ok_or_else(|| format_err!("no authid available"))?
+        .parse()?;
+
+    if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? {
+        http_bail!(FORBIDDEN, "user has no access to resources");
+    }
+
     let (remote_config, _) = pdm_config::remotes::config()?;
+    let authorized_remotes = remote_config.into_iter().filter(|(remote_name, _)| {
+        user_info.lookup_privs(&auth_id, &["resource", &remote_name]) & PRIV_RESOURCE_AUDIT != 0
+    });
 
-    let filtered_remotes = remote_config.into_iter().filter_map(|(_, remote)| {
+    let filtered_remotes = authorized_remotes.filter_map(|(_, remote)| {
         if remote.ty == RemoteType::Pve
             && remotes
                 .as_ref()
-- 
2.47.3



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

Re: [pdm-devel] [PATCH datacenter-manager 2/3] fix #6901: api: add explicit permission check for vnets list

[Stefan Hanreich]

On 10/14/25 5:03 PM, Shan Shaji wrote:
> When a non-root user tried to access the EVPN section, the API was
> throwing "403: permission check failed" error. To fix this, add
> explicit permission check for the `/vnets` endpoint.
> 
> Now every authenticated user can access the endpoint however, the user
> needs to have at least `Resource.Audit` permission under `/resource`.
> Only the vnets from remotes which the user has `Resource.Audit`
> privilege on `/remote/{remote_name}` will be included in the returned
> list.
> 
> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
> ---
>  server/src/api/sdn/vnets.rs | 29 ++++++++++++++++++++++++++---
>  1 file changed, 26 insertions(+), 3 deletions(-)
> 
> diff --git a/server/src/api/sdn/vnets.rs b/server/src/api/sdn/vnets.rs
> index a8092cf..a2dfdb4 100644
> --- a/server/src/api/sdn/vnets.rs
> +++ b/server/src/api/sdn/vnets.rs
> @@ -1,3 +1,4 @@
> +use core::option::Option::Some;

unneeded import?

>  use std::collections::HashSet;
>  
>  use anyhow::{format_err, Error};
> @@ -5,10 +6,11 @@ use pbs_api_types::REMOTE_ID_SCHEMA;
>  use pdm_api_types::{
>      remotes::RemoteType,
>      sdn::{CreateVnetRemote, ListVnet, SDN_ID_SCHEMA, VXLAN_ID_SCHEMA},
> -    Authid,
> +    Authid, PRIV_RESOURCE_AUDIT,
>  };
> +use proxmox_access_control::CachedUserInfo;
>  use proxmox_rest_server::WorkerTask;
> -use proxmox_router::{Router, RpcEnvironment};
> +use proxmox_router::{http_bail, Permission, Router, RpcEnvironment};
>  use proxmox_schema::api;
>  use pve_api_types::{CreateVnet, SdnVnetType};
>  
> @@ -52,16 +54,37 @@ pub const ROUTER: Router = Router::new()
>              type: ListVnet,
>          },
>      },
> +    access: {
> +        permission: &Permission::Anybody,
> +        description: "The user needs to have at least the `Resource.Audit` privilege under `/resource`.
> +        Only vnets from remotes for which the user has `Resource.Audit` on `/remote/{remote_name}`
> +        will be included in the returned list."
> +    }
>  )]
>  /// Query VNets of PVE remotes with optional filtering options
>  async fn list_vnets(
>      pending: Option<bool>,
>      running: Option<bool>,
>      remotes: Option<HashSet<String>>,
> +    rpcenv: &mut dyn RpcEnvironment,
>  ) -> Result<Vec<ListVnet>, Error> {
> +    let user_info = CachedUserInfo::new()?;
> +
> +    let auth_id: Authid = rpcenv
> +        .get_auth_id()
> +        .ok_or_else(|| format_err!("no authid available"))?
> +        .parse()?;
> +
> +    if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? {
> +        http_bail!(FORBIDDEN, "user has no access to resources");

we use UNAUTHORIZED instead of FORBIDDEN in other places, so imo would
be better to do that here too - same for the other 2 patches as well.

> +    }
> +
>      let (remote_config, _) = pdm_config::remotes::config()?;
> +    let authorized_remotes = remote_config.into_iter().filter(|(remote_name, _)| {
> +        user_info.lookup_privs(&auth_id, &["resource", &remote_name]) & PRIV_RESOURCE_AUDIT != 0
> +    });
>  
> -    let filtered_remotes = remote_config.into_iter().filter_map(|(_, remote)| {
> +    let filtered_remotes = authorized_remotes.filter_map(|(_, remote)| {
>          if remote.ty == RemoteType::Pve
>              && remotes
>                  .as_ref()



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

Re: [pdm-devel] [PATCH datacenter-manager 0/3] fix #6901: allow non root users to access the EVPN dashboard

[Stefan Hanreich]

We might want to to reimplement more granular permissions as well, while
we're at it. Guests have /remotes/<remote>/guest/<vmid> for instance to
allow setting permissions on a per-guest level.

Imo, nothing speaks against implementing permissions the same way as SDN
currently does, which would then be on PDM side:

/remote/<remote>/sdn/zones/<zone>
/remote/<remote>/sdn/zones/<zone>/<vnet>
/remote/<remote>/sdn/controllers/<controller>


On 10/14/25 5:03 PM, Shan Shaji wrote:
> When a non-root user tried to access the EVPN section, the API was
> returning a "403: permission check failed" error. To fix this, explicit
> permission checks have been added for the `/zones`, `/vnets`, and
> `/controllers` endpoints.
> 
> Now, every authenticated user can access these endpoints however, the user
> must have at least the Resource.Audit permission under `/resource`.
> Remotes are also filtered based on the user’s access. Lists will only be
> fetched from remotes for which the user has at least the
> `Resource.Audit` permission on `/remote/{remote_name}`.
> 
> Shan Shaji (3):
>   fix #6901: api: add explicit permission check for controllers list
>   fix #6901: api: add explicit permission check for vnets list
>   fix #6901: api: add explicit permission check for zones list
> 
>  server/src/api/sdn/controllers.rs | 30 ++++++++++++++++++++++++++----
>  server/src/api/sdn/vnets.rs       | 29 ++++++++++++++++++++++++++---
>  server/src/api/sdn/zones.rs       | 28 +++++++++++++++++++++++++---
>  3 files changed, 77 insertions(+), 10 deletions(-)
> 



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

Re: [pdm-devel] [PATCH datacenter-manager 2/3] fix #6901: api: add explicit permission check for vnets list

[Shannon Sterz]

On Wed Oct 15, 2025 at 5:20 PM CEST, Stefan Hanreich wrote:
> On 10/14/25 5:03 PM, Shan Shaji wrote:
>> When a non-root user tried to access the EVPN section, the API was
>> throwing "403: permission check failed" error. To fix this, add
>> explicit permission check for the `/vnets` endpoint.
>>
>> Now every authenticated user can access the endpoint however, the user
>> needs to have at least `Resource.Audit` permission under `/resource`.
>> Only the vnets from remotes which the user has `Resource.Audit`
>> privilege on `/remote/{remote_name}` will be included in the returned
>> list.
>>
>> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
>> ---
>>  server/src/api/sdn/vnets.rs | 29 ++++++++++++++++++++++++++---
>>  1 file changed, 26 insertions(+), 3 deletions(-)
>>
>> diff --git a/server/src/api/sdn/vnets.rs b/server/src/api/sdn/vnets.rs
>> index a8092cf..a2dfdb4 100644
>> --- a/server/src/api/sdn/vnets.rs
>> +++ b/server/src/api/sdn/vnets.rs
>> @@ -1,3 +1,4 @@
>> +use core::option::Option::Some;
>
> unneeded import?
>
>>  use std::collections::HashSet;
>>
>>  use anyhow::{format_err, Error};
>> @@ -5,10 +6,11 @@ use pbs_api_types::REMOTE_ID_SCHEMA;
>>  use pdm_api_types::{
>>      remotes::RemoteType,
>>      sdn::{CreateVnetRemote, ListVnet, SDN_ID_SCHEMA, VXLAN_ID_SCHEMA},
>> -    Authid,
>> +    Authid, PRIV_RESOURCE_AUDIT,
>>  };
>> +use proxmox_access_control::CachedUserInfo;
>>  use proxmox_rest_server::WorkerTask;
>> -use proxmox_router::{Router, RpcEnvironment};
>> +use proxmox_router::{http_bail, Permission, Router, RpcEnvironment};
>>  use proxmox_schema::api;
>>  use pve_api_types::{CreateVnet, SdnVnetType};
>>
>> @@ -52,16 +54,37 @@ pub const ROUTER: Router = Router::new()
>>              type: ListVnet,
>>          },
>>      },
>> +    access: {
>> +        permission: &Permission::Anybody,
>> +        description: "The user needs to have at least the `Resource.Audit` privilege under `/resource`.
>> +        Only vnets from remotes for which the user has `Resource.Audit` on `/remote/{remote_name}`
>> +        will be included in the returned list."
>> +    }
>>  )]
>>  /// Query VNets of PVE remotes with optional filtering options
>>  async fn list_vnets(
>>      pending: Option<bool>,
>>      running: Option<bool>,
>>      remotes: Option<HashSet<String>>,
>> +    rpcenv: &mut dyn RpcEnvironment,
>>  ) -> Result<Vec<ListVnet>, Error> {
>> +    let user_info = CachedUserInfo::new()?;
>> +
>> +    let auth_id: Authid = rpcenv
>> +        .get_auth_id()
>> +        .ok_or_else(|| format_err!("no authid available"))?
>> +        .parse()?;
>> +
>> +    if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? {
>> +        http_bail!(FORBIDDEN, "user has no access to resources");
>
> we use UNAUTHORIZED instead of FORBIDDEN in other places, so imo would
> be better to do that here too - same for the other 2 patches as well.

this was already discussed for a previous patch series. UNAUTHORIZED
there is arguably false, as we usually return a 403 FORBIDDEN when a
user does not have sufficient permissions (e.g. that's what you get if
you define permissions through the api macro and a user doesn't have
them). not a 401 UNAUTHORIZED, which we use to indicate that the user
has not been authenticated (i.e. no or invalid ticket).

iirc Permission::Anybody above means that anybody that has been
authenticated can access this endpoint (as opposed to Permission::World,
which means even unauthenticated users can access it). hence, we know
the user is authenticated here. so this is fine, but returning 401
UNAUTHORIZED in those other endpoints is wrong imo.

note that the ui relies on that in many cases: a 401 will trigger the
login prompt to be shown again, a 403 will simply show an error.

>> +    }
>> +
>>      let (remote_config, _) = pdm_config::remotes::config()?;
>> +    let authorized_remotes = remote_config.into_iter().filter(|(remote_name, _)| {
>> +        user_info.lookup_privs(&auth_id, &["resource", &remote_name]) & PRIV_RESOURCE_AUDIT != 0
>> +    });
>>
>> -    let filtered_remotes = remote_config.into_iter().filter_map(|(_, remote)| {
>> +    let filtered_remotes = authorized_remotes.filter_map(|(_, remote)| {
>>          if remote.ty == RemoteType::Pve
>>              && remotes
>>                  .as_ref()
>
>
>
> _______________________________________________
> pdm-devel mailing list
> pdm-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

Re: [pdm-devel] [PATCH datacenter-manager 2/3] fix #6901: api: add explicit permission check for vnets list

[Stefan Hanreich]

On 10/16/25 10:12 AM, Shannon Sterz wrote:
>> we use UNAUTHORIZED instead of FORBIDDEN in other places, so imo would
>> be better to do that here too - same for the other 2 patches as well.
> 
> this was already discussed for a previous patch series. UNAUTHORIZED
> there is arguably false, as we usually return a 403 FORBIDDEN when a
> user does not have sufficient permissions (e.g. that's what you get if
> you define permissions through the api macro and a user doesn't have
> them). not a 401 UNAUTHORIZED, which we use to indicate that the user
> has not been authenticated (i.e. no or invalid ticket).
> 
> iirc Permission::Anybody above means that anybody that has been
> authenticated can access this endpoint (as opposed to Permission::World,
> which means even unauthenticated users can access it). hence, we know
> the user is authenticated here. so this is fine, but returning 401
> UNAUTHORIZED in those other endpoints is wrong imo.
> 
> note that the ui relies on that in many cases: a 401 will trigger the
> login prompt to be shown again, a 403 will simply show an error.
> 

makes sense, thanks for clearing this up!


_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

Re: [pdm-devel] [PATCH datacenter-manager 0/3] fix #6901: allow non root users to access the EVPN dashboard

[Shan Shaji]

On Wed Oct 15, 2025 at 5:26 PM CEST, Stefan Hanreich wrote:
> We might want to to reimplement more granular permissions as well, while
> we're at it. Guests have /remotes/<remote>/guest/<vmid> for instance to
> allow setting permissions on a per-guest level.
>
> Imo, nothing speaks against implementing permissions the same way as SDN
> currently does, which would then be on PDM side:
>
> /remote/<remote>/sdn/zones/<zone>
> /remote/<remote>/sdn/zones/<zone>/<vnet>
> /remote/<remote>/sdn/controllers/<controller>

Thanks @Stefan for the review. Got it, Thank you for explaning it. 
I think it would be better to implement it in another patch series.
WDYT?


_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

Re: [pdm-devel] [PATCH datacenter-manager 2/3] fix #6901: api: add explicit permission check for vnets list

[Shan Shaji]

On Wed Oct 15, 2025 at 5:20 PM CEST, Stefan Hanreich wrote:
> On 10/14/25 5:03 PM, Shan Shaji wrote:
>> When a non-root user tried to access the EVPN section, the API was
>> throwing "403: permission check failed" error. To fix this, add
>> explicit permission check for the `/vnets` endpoint.
>> 
>> Now every authenticated user can access the endpoint however, the user
>> needs to have at least `Resource.Audit` permission under `/resource`.
>> Only the vnets from remotes which the user has `Resource.Audit`
>> privilege on `/remote/{remote_name}` will be included in the returned
>> list.
>> 
>> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
>> ---
>>  server/src/api/sdn/vnets.rs | 29 ++++++++++++++++++++++++++---
>>  1 file changed, 26 insertions(+), 3 deletions(-)
>> 
>> diff --git a/server/src/api/sdn/vnets.rs b/server/src/api/sdn/vnets.rs
>> index a8092cf..a2dfdb4 100644
>> --- a/server/src/api/sdn/vnets.rs
>> +++ b/server/src/api/sdn/vnets.rs
>> @@ -1,3 +1,4 @@
>> +use core::option::Option::Some;
>
> unneeded import?

Thanks for catching that. Will send and updated patch.

>>  use std::collections::HashSet;
>>  
>>  use anyhow::{format_err, Error};
>> @@ -5,10 +6,11 @@ use pbs_api_types::REMOTE_ID_SCHEMA;
>>  use pdm_api_types::{
>>      remotes::RemoteType,
>>      sdn::{CreateVnetRemote, ListVnet, SDN_ID_SCHEMA, VXLAN_ID_SCHEMA},
>> -    Authid,
>> +    Authid, PRIV_RESOURCE_AUDIT,
>>  };
>> +use proxmox_access_control::CachedUserInfo;
>>  use proxmox_rest_server::WorkerTask;
>> -use proxmox_router::{Router, RpcEnvironment};
>> +use proxmox_router::{http_bail, Permission, Router, RpcEnvironment};
>>  use proxmox_schema::api;
>>  use pve_api_types::{CreateVnet, SdnVnetType};
>>  
>> @@ -52,16 +54,37 @@ pub const ROUTER: Router = Router::new()
>>              type: ListVnet,
>>          },
>>      },
>> +    access: {
>> +        permission: &Permission::Anybody,
>> +        description: "The user needs to have at least the `Resource.Audit` privilege under `/resource`.
>> +        Only vnets from remotes for which the user has `Resource.Audit` on `/remote/{remote_name}`
>> +        will be included in the returned list."
>> +    }
>>  )]
>>  /// Query VNets of PVE remotes with optional filtering options
>>  async fn list_vnets(
>>      pending: Option<bool>,
>>      running: Option<bool>,
>>      remotes: Option<HashSet<String>>,
>> +    rpcenv: &mut dyn RpcEnvironment,
>>  ) -> Result<Vec<ListVnet>, Error> {
>> +    let user_info = CachedUserInfo::new()?;
>> +
>> +    let auth_id: Authid = rpcenv
>> +        .get_auth_id()
>> +        .ok_or_else(|| format_err!("no authid available"))?
>> +        .parse()?;
>> +
>> +    if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? {
>> +        http_bail!(FORBIDDEN, "user has no access to resources");
>
> we use UNAUTHORIZED instead of FORBIDDEN in other places, so imo would
> be better to do that here too - same for the other 2 patches as well.
>
>> +    }
>> +
>>      let (remote_config, _) = pdm_config::remotes::config()?;
>> +    let authorized_remotes = remote_config.into_iter().filter(|(remote_name, _)| {
>> +        user_info.lookup_privs(&auth_id, &["resource", &remote_name]) & PRIV_RESOURCE_AUDIT != 0
>> +    });
>>  
>> -    let filtered_remotes = remote_config.into_iter().filter_map(|(_, remote)| {
>> +    let filtered_remotes = authorized_remotes.filter_map(|(_, remote)| {
>>          if remote.ty == RemoteType::Pve
>>              && remotes
>>                  .as_ref()



_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

Re: [pdm-devel] [PATCH datacenter-manager 2/3] fix #6901: api: add explicit permission check for vnets list

[Shan Shaji]

superseded by v2: https://lore.proxmox.com/pdm-devel/20251017130217.160313-1-s.shaji@proxmox.com/T/#t


_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel