From: Gabriel Goller <g.goller@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH proxmox-datacenter-manager 8/9] api: add permissions for ip-vrf and mac-vrf endpoints
Date: Wed, 12 Nov 2025 14:20:25 +0100 [thread overview]
Message-ID: <20251112132045.165444-9-g.goller@proxmox.com> (raw)
In-Reply-To: <20251112132045.165444-1-g.goller@proxmox.com>
The ip-vrf and mac-vrf endpoints expose EVPN zone and vnet information
but currently lack access control. Add permission checks that require
Audit privileges on the respective zone or vnet.
Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
---
server/src/api/nodes/sdn.rs | 52 +++++++++++++++++++++++++++++++++++--
1 file changed, 50 insertions(+), 2 deletions(-)
diff --git a/server/src/api/nodes/sdn.rs b/server/src/api/nodes/sdn.rs
index 065ebe07846e..ee857ea9eee9 100644
--- a/server/src/api/nodes/sdn.rs
+++ b/server/src/api/nodes/sdn.rs
@@ -1,4 +1,4 @@
-use anyhow::{anyhow, Error};
+use anyhow::{anyhow, format_err, Error};
use http::StatusCode;
use pdm_api_types::{remotes::REMOTE_ID_SCHEMA, sdn::SDN_ID_SCHEMA, NODE_SCHEMA};
@@ -9,6 +9,10 @@ use pve_api_types::{SdnVnetMacVrf, SdnZoneIpVrf};
use crate::api::pve::{connect, get_remote};
mod zones {
+ use pdm_api_types::{Authid, PRIV_RESOURCE_AUDIT};
+ use proxmox_access_control::CachedUserInfo;
+ use proxmox_router::{http_bail, Permission, RpcEnvironment};
+
use super::*;
const ZONE_SUBDIRS: SubdirMap = &[("ip-vrf", &Router::new().get(&API_METHOD_GET_IP_VRF))];
@@ -28,13 +32,33 @@ mod zones {
},
},
returns: { type: SdnZoneIpVrf },
+ access: {
+ permission: &Permission::Anybody,
+ description: "The user needs to have at least the `Resource.Audit` privilege on
+ `/resource/{remote}/sdn/zone/{zone}`."
+ }
)]
/// Get the IP-VRF for an EVPN zone for a node on a given remote
async fn get_ip_vrf(
remote: String,
node: String,
zone: String,
+ rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<SdnZoneIpVrf>, Error> {
+ let user_info = CachedUserInfo::new()?;
+
+ let auth_id: Authid = rpcenv
+ .get_auth_id()
+ .ok_or_else(|| format_err!("no authid available"))?
+ .parse()?;
+
+ if user_info.lookup_privs(&auth_id, &["resource", &remote, "sdn", "zone", &zone])
+ & PRIV_RESOURCE_AUDIT
+ == 0
+ {
+ http_bail!(FORBIDDEN, "user has no access to {remote}/sdn/zone/{zone}");
+ }
+
let (remote_config, _) = pdm_config::remotes::config()?;
let remote = get_remote(&remote_config, &remote)?;
let client = connect(remote)?;
@@ -52,6 +76,10 @@ mod zones {
}
mod vnets {
+ use pdm_api_types::{Authid, PRIV_RESOURCE_AUDIT};
+ use proxmox_access_control::CachedUserInfo;
+ use proxmox_router::{http_bail, Permission, RpcEnvironment};
+
use super::*;
const VNET_SUBDIRS: SubdirMap = &[("mac-vrf", &Router::new().get(&API_METHOD_GET_MAC_VRF))];
@@ -71,16 +99,36 @@ mod vnets {
},
},
returns: { type: SdnVnetMacVrf },
+ access: {
+ permission: &Permission::Anybody,
+ description: "The user needs to have at least the `Resource.Audit` privilege on
+ `/resource/{remote}/sdn/vnet/{vnet}`."
+ }
)]
/// Get the MAC-VRF for an EVPN vnet for a node on a given remote
async fn get_mac_vrf(
remote: String,
node: String,
vnet: String,
+ rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<SdnVnetMacVrf>, Error> {
+ let user_info = CachedUserInfo::new()?;
+
+ let auth_id: Authid = rpcenv
+ .get_auth_id()
+ .ok_or_else(|| format_err!("no authid available"))?
+ .parse()?;
+
+ if user_info.lookup_privs(&auth_id, &["resource", &remote, "sdn", "vnet", &vnet])
+ & PRIV_RESOURCE_AUDIT
+ == 0
+ {
+ http_bail!(FORBIDDEN, "user has no access to {remote}/sdn/vnet/{vnet}");
+ }
+
let (remote_config, _) = pdm_config::remotes::config()?;
let remote = get_remote(&remote_config, &remote)?;
- let client = connect(&remote)?;
+ let client = connect(remote)?;
client
.get_vnet_mac_vrf(&node, &vnet)
--
2.47.3
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply other threads:[~2025-11-12 13:20 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-12 13:20 [pdm-devel] [RFC proxmox-datacenter-manager 0/9] Granular permissions for SDN resources Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 1/9] api: sdn: rename vnets to zones in list_zones Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 2/9] api: sdn: rename "vnet" to "controller" in list_controller Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 3/9] ui: improve error message when controller cannot be found Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 4/9] api: allow acl paths longer than 4 segments in sdn Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 5/9] api: sdn: add granular permissions for zones Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 6/9] api: sdn: add granular permissions for vnets Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 7/9] api: sdn: add granular permissions for controllers Gabriel Goller
2025-11-12 13:20 ` Gabriel Goller [this message]
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 9/9] api: add permissions for sdn resources Gabriel Goller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251112132045.165444-9-g.goller@proxmox.com \
--to=g.goller@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.