From: Gabriel Goller <g.goller@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH proxmox-datacenter-manager 9/9] api: add permissions for sdn resources
Date: Wed, 12 Nov 2025 14:20:26 +0100 [thread overview]
Message-ID: <20251112132045.165444-10-g.goller@proxmox.com> (raw)
In-Reply-To: <20251112132045.165444-1-g.goller@proxmox.com>
Until now, the resources do not have any granular permissions, you only
need to have `Audit` on `/resources/{resource-name}` and you will have
access to all resources. In order to limit this more, check permissions
when every resource object is added to the list. Note that this probably
has some performance implications.
Only SDN is considered at the moment.
Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
---
server/src/api/resources.rs | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/server/src/api/resources.rs b/server/src/api/resources.rs
index 8b9d3b1baa25..b6680e3f1c71 100644
--- a/server/src/api/resources.rs
+++ b/server/src/api/resources.rs
@@ -309,7 +309,7 @@ pub(crate) async fn get_resources_impl(
let remotes_only = is_remotes_only(&filters);
for (remote_name, remote) in remotes_config {
- if let Some(ref auth_id) = opt_auth_id {
+ if let Some(auth_id) = &opt_auth_id {
let remote_privs = user_info.lookup_privs(auth_id, &["resource", &remote_name]);
if remote_privs & PRIV_RESOURCE_AUDIT == 0 {
continue;
@@ -327,6 +327,8 @@ pub(crate) async fn get_resources_impl(
continue;
}
let filter = filters.clone();
+ let user_info = user_info.clone();
+ let opt_auth_id = opt_auth_id.clone();
let handle = tokio::spawn(async move {
let (mut resources, error) = match get_resources_for_remote(&remote, max_age).await {
Ok(resources) => (resources, None),
@@ -346,6 +348,23 @@ pub(crate) async fn get_resources_impl(
}
}
+ // check permissions
+ if let (Resource::PveNetwork(sdn_resource), Some(auth_id)) =
+ (resource, &opt_auth_id)
+ {
+ return (user_info.lookup_privs(
+ auth_id,
+ &[
+ "resource",
+ &remote_name,
+ "sdn",
+ sdn_resource.network_type().as_str(),
+ sdn_resource.name(),
+ ],
+ ) & PRIV_RESOURCE_AUDIT)
+ != 0;
+ }
+
filter.matches(|filter| {
// if we get can't decide if it matches, don't filter it out
resource_matches_search_term(&remote_name, resource, filter).unwrap_or(true)
--
2.47.3
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
prev parent reply other threads:[~2025-11-12 13:20 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-12 13:20 [pdm-devel] [RFC proxmox-datacenter-manager 0/9] Granular permissions for SDN resources Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 1/9] api: sdn: rename vnets to zones in list_zones Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 2/9] api: sdn: rename "vnet" to "controller" in list_controller Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 3/9] ui: improve error message when controller cannot be found Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 4/9] api: allow acl paths longer than 4 segments in sdn Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 5/9] api: sdn: add granular permissions for zones Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 6/9] api: sdn: add granular permissions for vnets Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 7/9] api: sdn: add granular permissions for controllers Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 8/9] api: add permissions for ip-vrf and mac-vrf endpoints Gabriel Goller
2025-11-12 13:20 ` Gabriel Goller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251112132045.165444-10-g.goller@proxmox.com \
--to=g.goller@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox