From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id C6F4F1FF13B for ; Wed, 25 Mar 2026 16:35:46 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B172C1EF4B; Wed, 25 Mar 2026 16:36:07 +0100 (CET) From: Shan Shaji To: pdm-devel@lists.proxmox.com Subject: [RFC PATCH datacenter-manager 0/3] ui: acl: pre-populate permission path selector Date: Wed, 25 Mar 2026 16:35:32 +0100 Message-ID: <20260325153535.286380-1-s.shaji@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1774452914436 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.026 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: AMVGDQ3N5E5K4A43ZQAZRRXT7TWAUFQK X-Message-ID-Hash: AMVGDQ3N5E5K4A43ZQAZRRXT7TWAUFQK X-MailFrom: s.shaji@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: vikunja ticket: #858 Creating this series as an RFC because, after populating the resource paths and testing them, AFAIU some of the permissions were not working because of our current API level permissions. I have tested the cases listed below. Would like to confirm if the desired and expected behaviour that i mentioned is correct and if I have missed anything. Since i was not sure about the correct behaviour I haven't made any updates in the API level permissions. Backup Server ============= remote_name = backup node_name = localhost Role = Auditor datastore_name = backup - /resource/backup - This was working even without enabling the propagate flag. Not sure if that is expected. - Desired behaviour: when propagate flag is enabled, the resources need to be shown, else the remote should be visible under the remotes but the resources shouldn't be visible. - /resource/backup/datastore/backup - The datastore details are not shown either in the remote dashboard or in the main dashboard. - Desired behaviour: - The remote needs to be visible under remotes of the sidebar. - The datastore details need to be visible under the remote overview section. - Datastore status needs to be visible under the main dashboard. - /resource/backup/node - propagate enabled: not working - propagate disabled: not working - Desired behaviour: - The remote should be visible under the remotes in the sidebar. - When propagate is enabled, all the resources in the specific node needs to be visible. - /resource/backup/node/localhost - not working even when propagate is enabled. - Desired behaviour: similar behaviour to /resource/backup/node Cluster ======= remote_name = cluster nodes = 3 Role = Auditor guests = 5 - /resource/cluster - The remote was shown in the dashboard. However, I was getting a 403 error (user has no access to resource list). - When the propagate flag is set, the resource list loads correctly. - /resource/cluster/guest - propagate disabled: Not working (expected) - Not working even when the propagate flag is set to true. The remote is not listed under the remotes in the sidebar. Also, the guest statuses were not being shown in the dashboard as well. - Desired behaviour: when propagate is enabled, all virtual guests inside the specific remote need to be visible. - /resource/cluster/guest/{100,101,102} - not working, the guest status was not shown in the main dashboard or in the remote-specific dashboard. - The propagate option doesn't matter here as it's a specific resource. - Desired behaviour: The guest status needs to be shown in the dashboard. The remote needs to be listed under remotes. - /resource/cluster/node - propagate disabled: Not working (expected) - propagate enabled: Not working - Desired behaviour: When propagate is enabled, the remote needs to be visible under remotes and the node resources need to be visible inside the remote dashboard. - /resource/cluster/node/pve-node-1 - propagate disabled: Not working (expected) - propagate enabled: Not working - Desired behaviour: when propagate is enabled, the remote needs to be visible under remotes and the node-specific resources need to be visible under the remote dashboard. PVE node ======== remote_name = trial Role = Auditor guests = 1 node_name = pve-free-trial - /resource/trial - propagate disabled: 403 error (user has no access to resource list). (expected) - propagate enabled: The resources are visible under the dashboard. (expected) - /resource/trial/guest - propagate disabled: No remote under remotes and no status under the main dashboard. (expected) - propagate enabled: No remote under remotes and no status under the main dashboard. - Desired behaviour: when propagate is enabled, the guest statuses need to be shown. - /resource/trial/guest/100 - propagate doesn't matter here as it's a specific resource. - not working, the guest status is not being shown inside the remote-specific dashboard or in the main dashboard. - /resource/trial/node - propagate disabled: no resources are loaded. (expected) - propagate enabled: no resources are loaded. (not expected) - Desired behaviour: The node resources need to be visible under the remote- specific dashboard and in the main dashboard when propagate is enabled. - /resource/trial/node/pve-free-trial - propagate disabled: no resources are loaded. (expected) - propagate enabled: no resources are loaded. (not expected) - Desired behaviour: The node resources need to be visible under the remote dashboard and in the main dashboard when propagate is enabled. Views ===== views_count = 2 - /view/layout - User can view the specific view. - /view - propagate enabled: Both views are visible to the user. - propagate disabled: Views are visible under the views in the sidebar but the resources are not visible when clicking on each view. Shan Shaji (3): pdm-client: add `list_views` function to fetch views list ui: acl: list granular level permission paths for views ui: acl: list granular level permission paths for resources lib/pdm-api-types/src/acl.rs | 3 +- lib/pdm-client/src/lib.rs | 10 ++ .../configuration/permission_path_selector.rs | 125 +++++++++++++++--- 3 files changed, 121 insertions(+), 17 deletions(-) -- 2.47.3