From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 084321FF179 for ; Wed, 12 Nov 2025 14:20:11 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 7AB9133B8; Wed, 12 Nov 2025 14:20:54 +0100 (CET) From: Gabriel Goller To: pdm-devel@lists.proxmox.com Date: Wed, 12 Nov 2025 14:20:26 +0100 Message-ID: <20251112132045.165444-10-g.goller@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20251112132045.165444-1-g.goller@proxmox.com> References: <20251112132045.165444-1-g.goller@proxmox.com> MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1762953625344 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.003 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pdm-devel] [PATCH proxmox-datacenter-manager 9/9] api: add permissions for sdn resources X-BeenThere: pdm-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Datacenter Manager development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pdm-devel-bounces@lists.proxmox.com Sender: "pdm-devel" Until now, the resources do not have any granular permissions, you only need to have `Audit` on `/resources/{resource-name}` and you will have access to all resources. In order to limit this more, check permissions when every resource object is added to the list. Note that this probably has some performance implications. Only SDN is considered at the moment. Signed-off-by: Gabriel Goller --- server/src/api/resources.rs | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/server/src/api/resources.rs b/server/src/api/resources.rs index 8b9d3b1baa25..b6680e3f1c71 100644 --- a/server/src/api/resources.rs +++ b/server/src/api/resources.rs @@ -309,7 +309,7 @@ pub(crate) async fn get_resources_impl( let remotes_only = is_remotes_only(&filters); for (remote_name, remote) in remotes_config { - if let Some(ref auth_id) = opt_auth_id { + if let Some(auth_id) = &opt_auth_id { let remote_privs = user_info.lookup_privs(auth_id, &["resource", &remote_name]); if remote_privs & PRIV_RESOURCE_AUDIT == 0 { continue; @@ -327,6 +327,8 @@ pub(crate) async fn get_resources_impl( continue; } let filter = filters.clone(); + let user_info = user_info.clone(); + let opt_auth_id = opt_auth_id.clone(); let handle = tokio::spawn(async move { let (mut resources, error) = match get_resources_for_remote(&remote, max_age).await { Ok(resources) => (resources, None), @@ -346,6 +348,23 @@ pub(crate) async fn get_resources_impl( } } + // check permissions + if let (Resource::PveNetwork(sdn_resource), Some(auth_id)) = + (resource, &opt_auth_id) + { + return (user_info.lookup_privs( + auth_id, + &[ + "resource", + &remote_name, + "sdn", + sdn_resource.network_type().as_str(), + sdn_resource.name(), + ], + ) & PRIV_RESOURCE_AUDIT) + != 0; + } + filter.matches(|filter| { // if we get can't decide if it matches, don't filter it out resource_matches_search_term(&remote_name, resource, filter).unwrap_or(true) -- 2.47.3 _______________________________________________ pdm-devel mailing list pdm-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel