Re: [pve-devel] [PATCH manager] api2: network: anybridge: re-add regular bridges

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

From: "DERUMIER, Alexandre" <Alexandre.DERUMIER@groupe-cyllene.com>
To: "pve-devel@lists.proxmox.com" <pve-devel@lists.proxmox.com>,
	"f.gruenbichler@proxmox.com" <f.gruenbichler@proxmox.com>
Subject: Re: [pve-devel] [PATCH manager] api2: network: anybridge: re-add regular bridges
Date: Wed, 27 Apr 2022 12:32:54 +0000	[thread overview]
Message-ID: <27858f5825dd14d370504c67bf877dc6d53a4bfc.camel@groupe-cyllene.com> (raw)
In-Reply-To: <20220427113600.166803-1-f.gruenbichler@proxmox.com>

Hi Fabian
Le mercredi 27 avril 2022 à 13:36 +0200, Fabian Grünbichler a écrit :
> commit 052fbb2a4d1bdeb490b2e3b67cd7555e460ebe93 introduced permission
> > checks here that caused all regular bridges to be removed from the
> > returned list as soon as the SDN package is installed, unless the
> > user
> > is root@pam or there exists a VNET with the same ID.
> > 
mmm, this is unexpected.
with my original patch :

if user don't have any permissions on vnets:
  - all vmbrX bridges are displayed
  - no vnets is displayed

if user have a permission on at least 1vnet:
  - vmbrX bridge are no more displayed  (untie you add a specific
permissions with /sdn/vnets/vmbrX)
  - only vnet with permissions are displayed


I didn' see, but Thomas have reworked it:
https://git.proxmox.com/?p=pve-manager.git;a=commit;h=640c0b26891c408d0456c355b3724c1be18cc75f

and the behaviour seem to be different:

if user don't have any permissions on vnets:
  - no vmbrX displayed   ----> different behaviour
  - no vnets is displayed

if user have a permission on at least 1vnet:
  - vmbrX bridge are no more displayed  (untile you add a specific
permissions with /sdn/vnets/vmbrX)
  - only vnet with permissions are displayed


with your patch, it seem to be different too:

if user don't have any permissions on vnets:
  - vmbrX displayed  
  - no vnets is displayed

if user have a permission on at least 1vnet:
  - vmbrX brige are still displayed ----> different behaviour
  - only vnet with permissions are displayed


> this is arguably a breaking change, so limit the priv check to
> actually
> > defined VNETs for the time being, and add ALL regular bridges
> > uncondtionally like before.
> > 
> get_local_vnets already filters by the same prvs, so we need to get
> the
> > full config to find out which IDs are VNETs and which are not.
> > 
> once/iff we introduce ACL paths for all bridges in the future, we can
> > limit accordingly here.
> > 
> CC: Alexandre Derumier <aderumier@odiso.com>
> > Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> > ---
> >  PVE/API2/Network.pm | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm
> > index 214ab50a..a43579fa 100644
> > --- a/PVE/API2/Network.pm
> > +++ b/PVE/API2/Network.pm
> > @@ -240,13 +240,16 @@ PACKAGE->register_method({
> >  
> >         if (my $tfilter = $param->{type}) {
> >             my $vnets;
> > +           my $vnet_cfg;
> >             my $can_access_vnet = sub { # only matters for the
> > $have_sdn case, checked implict
> >                 return 1 if $authuser eq 'root@pam' ||
> > !defined($vnets);
> > +               return 1 if
> > !defined(PVE::Network::SDN::Vnets::sdn_vnets_config($vnet_cfg,
> > $[0], 1)); # not a vnet
> >                 $rpcenv->check_any($authuser, "/sdn/vnets/$[0]",
> > ['SDN.Audit', 'SDN.Allocate'], 1)
> >             };
> >  
> >             if ($have_sdn && $param->{type} eq 'any_bridge') {
> >                 $vnets = PVE::Network::SDN::get_local_vnets(); #
> > returns already access-filtered
> > +               $vnet_cfg = PVE::Network::SDN::Vnets::config();
> >             }
> >  
> >             for my $k (sort keys $ifaces->%*) {

next prev parent reply	other threads:[~2022-04-27 12:33 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-27 11:36 Fabian Grünbichler
2022-04-27 11:56 ` [pve-devel] applied: " Thomas Lamprecht
2022-04-27 12:32 ` DERUMIER, Alexandre [this message]
2022-04-27 12:45   ` [pve-devel] " Fabian Grünbichler
2022-04-27 13:04     ` DERUMIER, Alexandre
2022-04-27 13:15   ` Thomas Lamprecht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=27858f5825dd14d370504c67bf877dc6d53a4bfc.camel@groupe-cyllene.com \
    --to=alexandre.derumier@groupe-cyllene.com \
    --cc=f.gruenbichler@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal