From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pdm-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 84D331FF179
	for <inbox@lore.proxmox.com>; Wed, 12 Nov 2025 14:20:13 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 24FEE3485;
	Wed, 12 Nov 2025 14:20:55 +0100 (CET)
From: Gabriel Goller <g.goller@proxmox.com>
To: pdm-devel@lists.proxmox.com
Date: Wed, 12 Nov 2025 14:20:17 +0100
Message-ID: <20251112132045.165444-1-g.goller@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1762953624779
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.005 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [sdn.rs, zones.rs, vnets.rs, controllers.rs, resources.rs, acl.rs,
 proxmox.com]
Subject: [pdm-devel] [RFC proxmox-datacenter-manager 0/9] Granular
 permissions for SDN resources
X-BeenThere: pdm-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Datacenter Manager development discussion
 <pdm-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pdm-devel>, 
 <mailto:pdm-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pdm-devel/>
List-Post: <mailto:pdm-devel@lists.proxmox.com>
List-Help: <mailto:pdm-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel>, 
 <mailto:pdm-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Datacenter Manager development discussion
 <pdm-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pdm-devel-bounces@lists.proxmox.com
Sender: "pdm-devel" <pdm-devel-bounces@lists.proxmox.com>

This series relies on the following patch series from Stefan:
 - Add support for network resource type
   https://lore.proxmox.com/pdm-devel/20251107144018.700695-1-s.hanreich@proxmox.com/
 - IP-VRF and MAC-VRF status in EVPN panel
   https://lore.proxmox.com/pdm-devel/20251107085934.118815-1-s.hanreich@proxmox.com/

This RFC patch series introduces granular permission controls for SDN resources
(Zones, VNets, and Controllers).

The series is structured as follows:
[0-2] Initial cleanup and refactoring (mostly rename) that can be applied
      independently
[3-7] Adds permission filtering for zones/vnets based on acl paths
[8]   Adds permission filtering for resources

The list_zones and list_vnets endpoints are only used for EVPN stuff in the
EVPN view (currently). The final patch adds permission filtering to the SDN
view, checking only 'network' resource types while ignoring other resource
types. This could potentially be slow, and it's also awkward as we only check
the sdn resource and ignore the others (OTOH without this patch we'd have to
think about the rest of the series as hidden zones can be viewable and
searchable in the resources).

Open questions for discussion:
1. Should we implement granular permissions at this level, or rely on the
   existing PVE token/permissions system?
2. Is the proposed permission granularity appropriate, or too fine-grained?
3. Should the final patch (resource filtering) be included in this series?

proxmox-datacenter-manager:

Gabriel Goller (9):
  api: sdn: rename vnets to zones in list_zones
  api: sdn: rename "vnet" to "controller" in list_controller
  ui: improve error message when controller cannot be found
  api: allow acl paths longer than 4 segments in sdn
  api: sdn: add granular permissions for zones
  api: sdn: add granular permissions for vnets
  api: sdn: add granular permissions for controllers
  api: add permissions for ip-vrf and mac-vrf endpoints
  api: add permissions for sdn resources

 server/src/acl.rs                 |  9 +++++-
 server/src/api/nodes/sdn.rs       | 52 +++++++++++++++++++++++++++++--
 server/src/api/resources.rs       | 21 ++++++++++++-
 server/src/api/sdn/controllers.rs | 33 +++++++++++++-------
 server/src/api/sdn/vnets.rs       | 22 ++++++++-----
 server/src/api/sdn/zones.rs       | 30 +++++++++++-------
 ui/src/sdn/evpn/remote_tree.rs    |  6 ++--
 ui/src/sdn/evpn/vrf_tree.rs       |  6 ++--
 8 files changed, 142 insertions(+), 37 deletions(-)


Summary over all repositories:
  8 files changed, 142 insertions(+), 37 deletions(-)

-- 
Generated by git-murpp 0.8.0


_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel