all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [RFC PATCH 0/4] add 'additive' flag to ACL entries
@ 2026-07-15 23:19 Thomas Lamprecht
  2026-07-15 23:19 ` [RFC PATCH access-control 1/4] acl: support 'additive' option on " Thomas Lamprecht
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2026-07-15 23:19 UTC (permalink / raw)
  To: pve-devel

By default a more specific ACL entry on a deeper path fully replaces the
roles inherited from ancestor paths. That works well for scoped
delegation, but it is awkward when a role should apply to a whole
subtree. Take an auditor group that needs read access everywhere: today
that role has to be repeated on every deeper entry, and it quietly stops
applying as soon as someone adds a more specific ACL below.
I run into this frequently on some of our own infra especially if users
are part of multiple groups.

So, to make this a bit easier this series adds an optional per-entry
'additive' flag. An additive entry's roles are carried down the walk and
merged with more specific entries below instead of being replaced;
NoAccess still dominates. On disk it is a compact '+' option field on
the acl: line, exposed via the API and CLI as a boolean 'additive'.
See the docs patch - especially its Notes section - for some more
details.

Sending as RFC mainly for feedback on the overall semantics and also
happy to bikeshed the name and the on-disk '+' encoding (an extensible
option field, so future flags need no new positional column).

Basic docs and UI integration included to make it a bit more complete
and easier to test.

pve-access-control:

  acl: support 'additive' option on ACL entries
  api: acl: expose 'additive' flag via GET and PUT

 src/PVE/API2/ACL.pm       |  75 ++++++++++--
 src/PVE/AccessControl.pm  | 247 +++++++++++++++++++++++++++++---------
 src/test/Makefile         |   2 +
 src/test/api-acl-test.pl  | 223 ++++++++++++++++++++++++++++++++++
 src/test/parser_writer.pl | 149 +++++++++++++++++++++++
 src/test/perm-test9.pl    | 181 ++++++++++++++++++++++++++++
 src/test/test9.cfg        |  86 +++++++++++++
 7 files changed, 898 insertions(+), 65 deletions(-)

pve-manager:

  ui: acl: expose the 'additive' ACL flag

 www/manager6/dc/ACLView.js | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

pve-docs:

  pveum: document 'additive' ACL option

 pveum.adoc | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)


base-commit: dcda7019c90c550995e784c165c9786d5cef4ed3
-- 
2.47.3




^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-07-15 23:22 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-15 23:19 [RFC PATCH 0/4] add 'additive' flag to ACL entries Thomas Lamprecht
2026-07-15 23:19 ` [RFC PATCH access-control 1/4] acl: support 'additive' option on " Thomas Lamprecht
2026-07-15 23:20 ` [RFC PATCH access-control 2/4] api: acl: expose 'additive' flag via GET and PUT Thomas Lamprecht
2026-07-15 23:20 ` [RFC PATCH manager 3/4] ui: acl: expose the 'additive' ACL flag Thomas Lamprecht
2026-07-15 23:20 ` [RFC PATCH docs 4/4] pveum: document 'additive' ACL option Thomas Lamprecht

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal