* [pve-devel] [PATCH v2 pve-manager 0/2] sdn: permissions improvments
@ 2021-10-04 6:08 Alexandre Derumier
2021-10-04 6:08 ` [pve-devel] [PATCH v2 pve-manager 1/2] permpathstore: add sdn zones Alexandre Derumier
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Alexandre Derumier @ 2021-10-04 6:08 UTC (permalink / raw)
To: pve-devel
- display zones list in global permissions management pathselector
- remove vmbrX bridges from bridgeselector if user have permissions on vnets
changelog v2:
- check permission on /sdn/vnet/<vmbr> too if user need access on both
vnets && vmbr
Alexandre Derumier (2):
permpathstore: add sdn zones
api2 : network: anybridge: don't display bridges if user have access
to vnets.
PVE/API2/Network.pm | 21 ++++++++++++++-------
www/manager6/data/PermPathStore.js | 3 +++
2 files changed, 17 insertions(+), 7 deletions(-)
--
2.30.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] [PATCH v2 pve-manager 1/2] permpathstore: add sdn zones
2021-10-04 6:08 [pve-devel] [PATCH v2 pve-manager 0/2] sdn: permissions improvments Alexandre Derumier
@ 2021-10-04 6:08 ` Alexandre Derumier
2021-10-04 6:08 ` [pve-devel] [PATCH v2 pve-manager 2/2] api2 : network: anybridge: don't display bridges if user have access to vnets Alexandre Derumier
2022-03-16 16:01 ` [pve-devel] applied-series: [PATCH v2 pve-manager 0/2] sdn: permissions improvments Thomas Lamprecht
2 siblings, 0 replies; 4+ messages in thread
From: Alexandre Derumier @ 2021-10-04 6:08 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
www/manager6/data/PermPathStore.js | 3 +++
1 file changed, 3 insertions(+)
diff --git a/www/manager6/data/PermPathStore.js b/www/manager6/data/PermPathStore.js
index 1dc276b6..cf702c03 100644
--- a/www/manager6/data/PermPathStore.js
+++ b/www/manager6/data/PermPathStore.js
@@ -10,6 +10,7 @@ Ext.define('PVE.data.PermPathStore', {
{ 'value': '/access/realm' },
{ 'value': '/nodes' },
{ 'value': '/pool' },
+ { 'value': '/sdn/zones' },
{ 'value': '/storage' },
{ 'value': '/vms' },
],
@@ -32,6 +33,8 @@ Ext.define('PVE.data.PermPathStore', {
break;
case 'lxc': path = '/vms/' + record.get('vmid');
break;
+ case 'sdn': path = '/sdn/zones/' + record.get('sdn');
+ break;
case 'storage': path = '/storage/' + record.get('storage');
break;
case 'pool': path = '/pool/' + record.get('pool');
--
2.30.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] [PATCH v2 pve-manager 2/2] api2 : network: anybridge: don't display bridges if user have access to vnets.
2021-10-04 6:08 [pve-devel] [PATCH v2 pve-manager 0/2] sdn: permissions improvments Alexandre Derumier
2021-10-04 6:08 ` [pve-devel] [PATCH v2 pve-manager 1/2] permpathstore: add sdn zones Alexandre Derumier
@ 2021-10-04 6:08 ` Alexandre Derumier
2022-03-16 16:01 ` [pve-devel] applied-series: [PATCH v2 pve-manager 0/2] sdn: permissions improvments Thomas Lamprecht
2 siblings, 0 replies; 4+ messages in thread
From: Alexandre Derumier @ 2021-10-04 6:08 UTC (permalink / raw)
To: pve-devel
This remove vmbr* from bridgeselector if user have access to vnets.
if user need to have also access to vmbr, we can add a permission
in path "/sdn/vnets/vmbrX"
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
PVE/API2/Network.pm | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm
index a26f36d2..53165660 100644
--- a/PVE/API2/Network.pm
+++ b/PVE/API2/Network.pm
@@ -226,6 +226,7 @@ __PACKAGE__->register_method({
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
+ my $authuser = $rpcenv->get_user();
my $tmp = PVE::INotify::read_file('interfaces', 1);
my $config = $tmp->{data};
@@ -238,20 +239,26 @@ __PACKAGE__->register_method({
delete $ifaces->{lo}; # do not list the loopback device
if ($param->{type}) {
+ my $vnets = {};
+ my $filtered_sdn = undef;
+ my $privs = [ 'SDN.Audit', 'SDN.Allocate' ];
+
+ if ($have_sdn && $param->{type} eq 'any_bridge') {
+ $vnets = PVE::Network::SDN::get_local_vnets();
+ $filtered_sdn = 1 if $authuser ne 'root@pam' && keys %{$vnets} > 0;
+ }
+
foreach my $k (keys %$ifaces) {
my $type = $ifaces->{$k}->{type};
my $match = ($param->{type} eq $type) || (
($param->{type} eq 'any_bridge') &&
($type eq 'bridge' || $type eq 'OVSBridge'));
- delete $ifaces->{$k} if !$match;
+ delete $ifaces->{$k} if !$match || ($filtered_sdn && !$rpcenv->check_any($authuser, "/sdn/vnets/$k", $privs, 1));
}
- if ($have_sdn && $param->{type} eq 'any_bridge') {
- my $vnets = PVE::Network::SDN::get_local_vnets();
- map {
- $ifaces->{$_} = $vnets->{$_};
- } keys %$vnets;
- }
+ map {
+ $ifaces->{$_} = $vnets->{$_};
+ } keys %$vnets;
}
return PVE::RESTHandler::hash_to_array($ifaces, 'iface');
--
2.30.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [pve-devel] applied-series: [PATCH v2 pve-manager 0/2] sdn: permissions improvments
2021-10-04 6:08 [pve-devel] [PATCH v2 pve-manager 0/2] sdn: permissions improvments Alexandre Derumier
2021-10-04 6:08 ` [pve-devel] [PATCH v2 pve-manager 1/2] permpathstore: add sdn zones Alexandre Derumier
2021-10-04 6:08 ` [pve-devel] [PATCH v2 pve-manager 2/2] api2 : network: anybridge: don't display bridges if user have access to vnets Alexandre Derumier
@ 2022-03-16 16:01 ` Thomas Lamprecht
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Lamprecht @ 2022-03-16 16:01 UTC (permalink / raw)
To: Proxmox VE development discussion, Alexandre Derumier
On 04.10.21 08:08, Alexandre Derumier wrote:
> - display zones list in global permissions management pathselector
> - remove vmbrX bridges from bridgeselector if user have permissions on vnets
>
>
> changelog v2:
>
> - check permission on /sdn/vnet/<vmbr> too if user need access on both
> vnets && vmbr
>
>
> Alexandre Derumier (2):
> permpathstore: add sdn zones
> api2 : network: anybridge: don't display bridges if user have access
> to vnets.
>
> PVE/API2/Network.pm | 21 ++++++++++++++-------
> www/manager6/data/PermPathStore.js | 3 +++
> 2 files changed, 17 insertions(+), 7 deletions(-)
>
applied series, thanks!
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-03-16 16:01 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-04 6:08 [pve-devel] [PATCH v2 pve-manager 0/2] sdn: permissions improvments Alexandre Derumier
2021-10-04 6:08 ` [pve-devel] [PATCH v2 pve-manager 1/2] permpathstore: add sdn zones Alexandre Derumier
2021-10-04 6:08 ` [pve-devel] [PATCH v2 pve-manager 2/2] api2 : network: anybridge: don't display bridges if user have access to vnets Alexandre Derumier
2022-03-16 16:01 ` [pve-devel] applied-series: [PATCH v2 pve-manager 0/2] sdn: permissions improvments Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal