public inbox for pdm-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v3 00/11] ACL edit api and ui components
Date: Thu, 28 Aug 2025 12:59:01 +0200	[thread overview]
Message-ID: <20250828105912.294887-1-s.sterz@proxmox.com> (raw)

this series aims to make more parts of our access control list
implementation re-usable between products. in a first step most of the
relevant api endpoints and api types are moved to
`proxmox-access-control`. this is done by adding a new `api` feature
that includes the necessary api endpoints. the `AccessControlConfig`
trait is also expanded to make the api endpoints more adaptable to
different products. by providing default implementations for the newly
added trait functions existing users don't need to change anything. it
also tries to make the code here easier to understand as the checks
could be hard to grasp previously.

next the series adds components to proxmox-yew-comp to provide a panel
for inspecting the current acl and adding or removing entries. this is
done by using the existing `RoleSelector` and `AuthidSelector`
components. the later is also slightly adapted to make it possible to
change the api endpoint that roles are fetched from as well as the
default role. the `AclView` component allows users of the crate to add
more options for adding ACL entries. meaning they can configure distinct
components for adding user, token or group permissions. this is done in
a generic fashion so that extending this menu does not require changing
the component again.

finally proxmox-datacenter-manager is adapted to use the new api
endpoints in `proxmox-access-control` and a permissions panel is
implemented. note that this would benefit from some clean-up once
permission path and such are cleaned up.

Changelog
---------

changes since v2:

- rebase on current master for each repository

changes since v1:

- added a patch that refactors the top-level privilege checking logic
  for the acl endpoints to use `CachedUserInfo`'s `check_privs` and to
  allow for configuring partial permission matches per product. this
  ideally also makes the permission checks easier to understand (patch
  proxmox 5).
- added a patch that refactors the `extract_acl_node_data` helper
  function to be non-recursive. this should improve the memory footprint
  of this function, especially when dealing with deeper trees (patch
  proxmox 6)

proxmox:

Shannon Sterz (6):
  access-control: add more types to prepare for api feature
  access-control: add acl api feature
  access-control: add comments to roles function of AccessControlConfig
  access-control: add generic roles endpoint to `api` feature
  access-control: api: refactor validation checks to re-use existing
    code
  access-control: api: refactor extract_acl_node_data to be
    non-recursive

 proxmox-access-control/Cargo.toml             |   8 +
 proxmox-access-control/src/acl.rs             |  12 +-
 proxmox-access-control/src/api.rs             | 349 ++++++++++++++++++
 .../src/cached_user_info.rs                   |   4 +-
 proxmox-access-control/src/init.rs            |  35 +-
 proxmox-access-control/src/lib.rs             |   3 +
 proxmox-access-control/src/types.rs           |  87 ++++-
 7 files changed, 486 insertions(+), 12 deletions(-)
 create mode 100644 proxmox-access-control/src/api.rs


proxmox-yew-comp:

Shannon Sterz (3):
  api-types/role_selector: depend on common `RoleInfo` type
  acl: add a view and semi-generic `EditWindow` for acl entries
  role_selector/acl_edit: make api endpoint and default role
    configurable

 src/acl/acl_edit.rs     | 112 +++++++++++++++++
 src/acl/acl_view.rs     | 270 ++++++++++++++++++++++++++++++++++++++++
 src/acl/mod.rs          |   5 +
 src/common_api_types.rs |   8 --
 src/lib.rs              |   3 +
 src/role_selector.rs    |  22 +++-
 6 files changed, 407 insertions(+), 13 deletions(-)
 create mode 100644 src/acl/acl_edit.rs
 create mode 100644 src/acl/acl_view.rs
 create mode 100644 src/acl/mod.rs


proxmox-datacenter-manager:

Shannon Sterz (2):
  server: use proxmox-access-control api implementations
  ui: configuration: add panel for viewing and editing acl entries

 server/Cargo.toml                             |   2 +-
 server/src/acl.rs                             | 102 ++++-
 server/src/api/access/acl.rs                  | 357 ------------------
 server/src/api/access/mod.rs                  |   4 +-
 ui/src/configuration/mod.rs                   |  23 +-
 .../configuration/permission_path_selector.rs |  86 +++++
 6 files changed, 208 insertions(+), 366 deletions(-)
 delete mode 100644 server/src/api/access/acl.rs
 create mode 100644 ui/src/configuration/permission_path_selector.rs


Summary over all repositories:
  19 files changed, 1101 insertions(+), 391 deletions(-)

--
Generated by git-murpp 0.8.1


_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel


             reply	other threads:[~2025-08-28 10:59 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-28 10:59 Shannon Sterz [this message]
2025-08-28 10:59 ` [pdm-devel] [PATCH proxmox v3 1/6] access-control: add more types to prepare for api feature Shannon Sterz
2025-08-28 10:59 ` [pdm-devel] [PATCH proxmox v3 2/6] access-control: add acl " Shannon Sterz
2025-08-28 10:59 ` [pdm-devel] [PATCH proxmox v3 3/6] access-control: add comments to roles function of AccessControlConfig Shannon Sterz
2025-08-28 10:59 ` [pdm-devel] [PATCH proxmox v3 4/6] access-control: add generic roles endpoint to `api` feature Shannon Sterz
2025-08-28 10:59 ` [pdm-devel] [PATCH proxmox v3 5/6] access-control: api: refactor validation checks to re-use existing code Shannon Sterz
2025-08-28 10:59 ` [pdm-devel] [PATCH proxmox v3 6/6] access-control: api: refactor extract_acl_node_data to be non-recursive Shannon Sterz
2025-08-28 10:59 ` [pdm-devel] [PATCH yew-comp v3 1/3] api-types/role_selector: depend on common `RoleInfo` type Shannon Sterz
2025-08-28 10:59 ` [pdm-devel] [PATCH yew-comp v3 2/3] acl: add a view and semi-generic `EditWindow` for acl entries Shannon Sterz
2025-08-28 10:59 ` [pdm-devel] [PATCH yew-comp v3 3/3] role_selector/acl_edit: make api endpoint and default role configurable Shannon Sterz
2025-08-28 10:59 ` [pdm-devel] [PATCH datacenter-manager v3 1/2] server: use proxmox-access-control api implementations Shannon Sterz
2025-08-28 10:59 ` [pdm-devel] [PATCH datacenter-manager v3 2/2] ui: configuration: add panel for viewing and editing acl entries Shannon Sterz
2025-08-28 21:15 ` [pdm-devel] applied-series: [PATCH datacenter-manager/proxmox/yew-comp v3 00/11] ACL edit api and ui components Thomas Lamprecht

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250828105912.294887-1-s.sterz@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=pdm-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal