From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gate001.proxmox.com (gate001.proxmox.com [45.144.208.40]) by lore.proxmox.com (Postfix) with ESMTPS id D7C131FF0E0 for ; Thu, 09 Jul 2026 14:48:37 +0200 (CEST) Received: from gate001.proxmox.com (localhost.localdomain [127.0.0.1]) by gate001.proxmox.com (Proxmox) with ESMTP id D3B6B214E1; Thu, 09 Jul 2026 14:48:36 +0200 (CEST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Thu, 09 Jul 2026 14:48:32 +0200 Message-Id: From: =?utf-8?q?Michael_K=C3=B6ppl?= To: "Jakob Klocker" , Subject: Re: [PATCH manager/access-control 0/3] fix #7513: fine-grained ACL for node certificates X-Mailer: aerc 0.21.0 References: <20260528113505.12961-1-j.klocker@proxmox.com> In-Reply-To: <20260528113505.12961-1-j.klocker@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1783601302370 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.150 Adjusted score from AWL reputation of From: address DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment (newer systems) POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: VIOWXNSQQLWXG7JWH6FKV3TGMYMIBNYZ X-Message-ID-Hash: VIOWXNSQQLWXG7JWH6FKV3TGMYMIBNYZ X-MailFrom: m.koeppl@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Thanks for these patches! Gave this a quick spin by creating a new user and assigning the now more specific permissions. - Checked that assigning the CertManager Role to the new user for path /nodes//certificates was possible through both the UI and pveum - Checked that the user then was able to view, upload, and remove certificates for the nodes for which the path was added (and that it was not possible for other nodes) - Checked that assigning the CertManager role for path /nodes/ still allowed the user to manipulate certificates - Also checked that the user could not access any other functionality even if assigned a role with more privileges The patches seemed to work as expected for me. I also had a look at the code and the changes look simple enough and good to me. I quickly checked if any other parts of PVE might be affected by these changes, but I don't think that's the case. Consider this: Reviewed-by: Michael K=C3=B6ppl Tested-by: Michael K=C3=B6ppl On Thu May 28, 2026 at 1:35 PM CEST, Jakob Klocker wrote: > Managing node certificates currently requires broad /nodes/{node} > permissions, which violates the least-privilege principle. This > series adds /nodes/{node}/certificates as a dedicated ACL path and > moves the relevant permission checks onto it, so certificate > management can be done without granting node-wide rights. [snip]