From: Gabriel Goller <g.goller@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [pdm-devel] [PATCH proxmox-datacenter-manager 8/9] api: add permissions for ip-vrf and mac-vrf endpoints
Date: Wed, 12 Nov 2025 14:20:25 +0100 [thread overview]
Message-ID: <20251112132045.165444-9-g.goller@proxmox.com> (raw)
In-Reply-To: <20251112132045.165444-1-g.goller@proxmox.com>
The ip-vrf and mac-vrf endpoints expose EVPN zone and vnet information
but currently lack access control. Add permission checks that require
Audit privileges on the respective zone or vnet.
Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
---
server/src/api/nodes/sdn.rs | 52 +++++++++++++++++++++++++++++++++++--
1 file changed, 50 insertions(+), 2 deletions(-)
diff --git a/server/src/api/nodes/sdn.rs b/server/src/api/nodes/sdn.rs
index 065ebe07846e..ee857ea9eee9 100644
--- a/server/src/api/nodes/sdn.rs
+++ b/server/src/api/nodes/sdn.rs
@@ -1,4 +1,4 @@
-use anyhow::{anyhow, Error};
+use anyhow::{anyhow, format_err, Error};
use http::StatusCode;
use pdm_api_types::{remotes::REMOTE_ID_SCHEMA, sdn::SDN_ID_SCHEMA, NODE_SCHEMA};
@@ -9,6 +9,10 @@ use pve_api_types::{SdnVnetMacVrf, SdnZoneIpVrf};
use crate::api::pve::{connect, get_remote};
mod zones {
+ use pdm_api_types::{Authid, PRIV_RESOURCE_AUDIT};
+ use proxmox_access_control::CachedUserInfo;
+ use proxmox_router::{http_bail, Permission, RpcEnvironment};
+
use super::*;
const ZONE_SUBDIRS: SubdirMap = &[("ip-vrf", &Router::new().get(&API_METHOD_GET_IP_VRF))];
@@ -28,13 +32,33 @@ mod zones {
},
},
returns: { type: SdnZoneIpVrf },
+ access: {
+ permission: &Permission::Anybody,
+ description: "The user needs to have at least the `Resource.Audit` privilege on
+ `/resource/{remote}/sdn/zone/{zone}`."
+ }
)]
/// Get the IP-VRF for an EVPN zone for a node on a given remote
async fn get_ip_vrf(
remote: String,
node: String,
zone: String,
+ rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<SdnZoneIpVrf>, Error> {
+ let user_info = CachedUserInfo::new()?;
+
+ let auth_id: Authid = rpcenv
+ .get_auth_id()
+ .ok_or_else(|| format_err!("no authid available"))?
+ .parse()?;
+
+ if user_info.lookup_privs(&auth_id, &["resource", &remote, "sdn", "zone", &zone])
+ & PRIV_RESOURCE_AUDIT
+ == 0
+ {
+ http_bail!(FORBIDDEN, "user has no access to {remote}/sdn/zone/{zone}");
+ }
+
let (remote_config, _) = pdm_config::remotes::config()?;
let remote = get_remote(&remote_config, &remote)?;
let client = connect(remote)?;
@@ -52,6 +76,10 @@ mod zones {
}
mod vnets {
+ use pdm_api_types::{Authid, PRIV_RESOURCE_AUDIT};
+ use proxmox_access_control::CachedUserInfo;
+ use proxmox_router::{http_bail, Permission, RpcEnvironment};
+
use super::*;
const VNET_SUBDIRS: SubdirMap = &[("mac-vrf", &Router::new().get(&API_METHOD_GET_MAC_VRF))];
@@ -71,16 +99,36 @@ mod vnets {
},
},
returns: { type: SdnVnetMacVrf },
+ access: {
+ permission: &Permission::Anybody,
+ description: "The user needs to have at least the `Resource.Audit` privilege on
+ `/resource/{remote}/sdn/vnet/{vnet}`."
+ }
)]
/// Get the MAC-VRF for an EVPN vnet for a node on a given remote
async fn get_mac_vrf(
remote: String,
node: String,
vnet: String,
+ rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<SdnVnetMacVrf>, Error> {
+ let user_info = CachedUserInfo::new()?;
+
+ let auth_id: Authid = rpcenv
+ .get_auth_id()
+ .ok_or_else(|| format_err!("no authid available"))?
+ .parse()?;
+
+ if user_info.lookup_privs(&auth_id, &["resource", &remote, "sdn", "vnet", &vnet])
+ & PRIV_RESOURCE_AUDIT
+ == 0
+ {
+ http_bail!(FORBIDDEN, "user has no access to {remote}/sdn/vnet/{vnet}");
+ }
+
let (remote_config, _) = pdm_config::remotes::config()?;
let remote = get_remote(&remote_config, &remote)?;
- let client = connect(&remote)?;
+ let client = connect(remote)?;
client
.get_vnet_mac_vrf(&node, &vnet)
--
2.47.3
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply other threads:[~2025-11-12 13:20 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-12 13:20 [pdm-devel] [RFC proxmox-datacenter-manager 0/9] Granular permissions for SDN resources Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 1/9] api: sdn: rename vnets to zones in list_zones Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 2/9] api: sdn: rename "vnet" to "controller" in list_controller Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 3/9] ui: improve error message when controller cannot be found Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 4/9] api: allow acl paths longer than 4 segments in sdn Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 5/9] api: sdn: add granular permissions for zones Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 6/9] api: sdn: add granular permissions for vnets Gabriel Goller
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 7/9] api: sdn: add granular permissions for controllers Gabriel Goller
2025-11-12 13:20 ` Gabriel Goller [this message]
2025-11-12 13:20 ` [pdm-devel] [PATCH proxmox-datacenter-manager 9/9] api: add permissions for sdn resources Gabriel Goller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251112132045.165444-9-g.goller@proxmox.com \
--to=g.goller@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox