From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 57ECE1FF179 for ; Wed, 29 Oct 2025 15:49:16 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DB0C6E882; Wed, 29 Oct 2025 15:49:49 +0100 (CET) From: Lukas Wagner To: pdm-devel@lists.proxmox.com Date: Wed, 29 Oct 2025 15:48:57 +0100 Message-ID: <20251029144902.446852-9-l.wagner@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20251029144902.446852-1-l.wagner@proxmox.com> References: <20251029144902.446852-1-l.wagner@proxmox.com> MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1761749338583 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.973 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_MAILER 2 Automated Mailer Tag Left in Email SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pdm-devel] [PATCH datacenter-manager 08/13] api: resources: top entities: add support for view-filter parameter X-BeenThere: pdm-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Datacenter Manager development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pdm-devel-bounces@lists.proxmox.com Sender: "pdm-devel" A view filter allows one to get filtered subset of all resources, based on filter rules defined in a config file. View filters integrate with the permission system - if a user has permissions on /view/{view-filter-id}, then these privileges are transitively applied to all resources which are matched by the rules. All other permission checks are replaced if requesting data through a view filter. Signed-off-by: Lukas Wagner --- server/src/api/resources.rs | 41 ++++++++++++++++++-- server/src/metric_collection/top_entities.rs | 5 +++ 2 files changed, 42 insertions(+), 4 deletions(-) diff --git a/server/src/api/resources.rs b/server/src/api/resources.rs index c7f208aa..8059596d 100644 --- a/server/src/api/resources.rs +++ b/server/src/api/resources.rs @@ -617,7 +617,11 @@ pub async fn get_subscription_status( "timeframe": { type: RrdTimeframe, optional: true, - } + }, + "view-filter": { + schema: VIEW_FILTER_ID_SCHEMA, + optional: true, + }, } }, access: { @@ -630,6 +634,7 @@ pub async fn get_subscription_status( /// Returns the top X entities regarding the chosen type async fn get_top_entities( timeframe: Option, + view_filter: Option, rpcenv: &mut dyn RpcEnvironment, ) -> Result { let user_info = CachedUserInfo::new()?; @@ -638,17 +643,45 @@ async fn get_top_entities( .ok_or_else(|| format_err!("no authid available"))? .parse()?; - if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? { + if let Some(view_filter) = &view_filter { + user_info.check_privs(&auth_id, &["view", view_filter], PRIV_RESOURCE_AUDIT, false)?; + } else if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? { http_bail!(FORBIDDEN, "user has no access to resources"); } + let view_filter = view_filter + .map(|a| views::view_filter::get_view_filter(&a)) + .transpose()?; + let (remotes_config, _) = pdm_config::remotes::config()?; + let check_remote_privs = |remote_name: &str| { - user_info.lookup_privs(&auth_id, &["resource", remote_name]) & PRIV_RESOURCE_AUDIT != 0 + if let Some(view_filter) = &view_filter { + // if `include-remote` or `exclude-remote` are used we can limit the + // number of remotes to check. + !view_filter.can_skip_remote(remote_name) + } else { + user_info.lookup_privs(&auth_id, &["resource", remote_name]) & PRIV_RESOURCE_AUDIT != 0 + } + }; + + let is_resource_included = |remote: &str, resource: &Resource| { + if let Some(view_filter) = &view_filter { + view_filter.resource_matches(remote, resource) + } else { + true + } }; let timeframe = timeframe.unwrap_or(RrdTimeframe::Day); - let res = top_entities::calculate_top(&remotes_config, timeframe, 10, check_remote_privs); + let res = top_entities::calculate_top( + &remotes_config, + timeframe, + 10, + check_remote_privs, + is_resource_included, + ); + Ok(res) } diff --git a/server/src/metric_collection/top_entities.rs b/server/src/metric_collection/top_entities.rs index 73a3e63f..a91d586c 100644 --- a/server/src/metric_collection/top_entities.rs +++ b/server/src/metric_collection/top_entities.rs @@ -37,6 +37,7 @@ pub fn calculate_top( timeframe: proxmox_rrd_api_types::RrdTimeframe, num: usize, check_remote_privs: impl Fn(&str) -> bool, + is_resource_included: impl Fn(&str, &Resource) -> bool, ) -> TopEntities { let mut guest_cpu = Vec::new(); let mut node_cpu = Vec::new(); @@ -51,6 +52,10 @@ pub fn calculate_top( crate::api::resources::get_cached_resources(remote_name, i64::MAX as u64) { for res in data.resources { + if !is_resource_included(remote_name, &res) { + continue; + } + let id = res.id().to_string(); let name = format!("pve/{remote_name}/{id}"); match &res { -- 2.47.3 _______________________________________________ pdm-devel mailing list pdm-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel