From: David Riley <d.riley@proxmox.com>
To: Gabriel Goller <g.goller@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: Re: [PATCH pve-network 5/9] fix #7294: sdn: register api formats for zones and vnets
Date: Fri, 12 Jun 2026 16:17:03 +0200 [thread overview]
Message-ID: <a9ade3a6-3cd7-450f-9951-3a4bd192af68@proxmox.com> (raw)
In-Reply-To: <178127201519.718919.5198816838031871654.b4-reply@b4>
On 6/12/26 3:46 PM, Gabriel Goller wrote:
> On 2026-06-12 14:51 +0200, David Riley wrote:
>> Thanks for the feedback.
>>
>> The intention behind adding this segment to the ACL path is to allow
>> for fine-grained, hierarchical permission scoping, not to couple the
>> ACL system to specific VNet properties.
>>
>> I used vlan as a placeholder for 'tag', but in retrospect, the naming
>> is a bit confusing, and I'm happy to adapt this in a v2.
>>
>> From a permission perspective, including the tag in the path makes
>> sense, as it allows us to restrict pool users to a specific VNet and
>> tag combination.
> Maybe I'm a bit dim, but you mean the VNet tag right -- so the tag I configure
> on each VNet?
No, I don't mean the tag configured on the VNet itself. I mean the
VLAN tag configured on the guest's network interface (NIC) when
attaching the VM to a VLAN-aware VNet.
>> So if you have a pool with a VM, storage and VNet + Tag and assign the
>> pool permissions: PVEVMAdmin, PVESDNUser
>>
>> The user can fully manage this VM, including adding a new NIC, but
>> they can only add it using the exact VNet + Tag combination. Just
>> adding the VNet would not work.
> How is this different than just adding the VNet? Will this restrict the user
> from adding another vlan tag on the VM (when using vlanaware vnets)? Is this
> just to prevent the user from editing the VNet tag?
Yes it will restrict the user.
This is how I tested it (and what I envision the primary use case to
be) is this:
* You create a simple zone.
* In that zone, you create a VNet and make it vlanaware.
* You add this VNet to the pool by selecting the zone, the VNet, and
setting a specific tag (e.g., 1).
The user then gets the following ACL path from the pool:
/sdn/zones/zone/vnet/1
If the user tries to add a network card to their VM using only the
zone and VNet without the VLAN tag, it will fail:
Permission check failed (/sdn/zones/zone/vnet, SDN.Use) (403)
Trying to assign a different VLAN tag (e.g., 2) will also fail:
Permission check failed (/sdn/zones/zone/vnet/2, SDN.Use) (403)
Only using the zone, VNet, and tag 1 will work.
So it effectively allows an admin to share a single VLAN-aware VNet
across multiple pools, strictly isolating users to their assigned
VLANs.
>> Let me know if this makes sense.
>>
>> [snip]
next prev parent reply other threads:[~2026-06-12 14:17 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 14:59 [PATCH access-control/cluster/manager/network/qemu-server 0/9] fix #7294: pool: add SDN VNets as pool members David Riley
2026-06-11 14:59 ` [PATCH pve-manager 1/9] ui: replace var with let to match style guide for variable declaration David Riley
2026-06-11 14:59 ` [PATCH pve-manager 2/9] fix #7294: api: pool: add SDN VNets as pool members David Riley
2026-06-11 14:59 ` [PATCH pve-manager 3/9] fix #7294: ui: " David Riley
2026-06-11 14:59 ` [PATCH pve-access-control 4/9] fix #7294: acl: " David Riley
2026-06-11 14:59 ` [PATCH pve-network 5/9] fix #7294: sdn: register api formats for zones and vnets David Riley
2026-06-12 12:18 ` Gabriel Goller
2026-06-12 12:51 ` David Riley
2026-06-12 13:46 ` Gabriel Goller
2026-06-12 14:17 ` David Riley [this message]
2026-06-11 14:59 ` [PATCH pve-network 6/9] fix #7294: sdn: vnet: update pool members on vnet migration and deletion David Riley
2026-06-11 16:21 ` Gabriel Goller
2026-06-12 6:37 ` David Riley
2026-06-12 8:41 ` Gabriel Goller
2026-06-11 14:59 ` [PATCH pve-cluster 7/9] cluster: add helpers module with version comparison functions David Riley
2026-06-11 14:59 ` [PATCH pve-cluster 8/9] fix #7294: cluster: helpers: add cluster-wide version assertion David Riley
2026-06-11 14:59 ` [PATCH qemu-server 9/9] fix #7294: helpers: use cluster-wide version helper David Riley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a9ade3a6-3cd7-450f-9951-3a4bd192af68@proxmox.com \
--to=d.riley@proxmox.com \
--cc=g.goller@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.