From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <pdm-devel-bounces@lists.proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id A41701FF15E for <inbox@lore.proxmox.com>; Tue, 22 Apr 2025 10:13:33 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0E2DD35904; Tue, 22 Apr 2025 10:13:32 +0200 (CEST) Mime-Version: 1.0 Date: Tue, 22 Apr 2025 10:12:58 +0200 Message-Id: <D9D0LZGZ48JH.138730OWTJD4B@proxmox.com> To: "Thomas Lamprecht" <t.lamprecht@proxmox.com>, "Proxmox Datacenter Manager development discussion" <pdm-devel@lists.proxmox.com> From: "Shannon Sterz" <s.sterz@proxmox.com> Labels: X-Mailer: aerc 0.20.1-0-g2ecb8770224a-dirty References: <20250411134435.269524-1-s.sterz@proxmox.com> <82d71cc1-3b66-425f-a309-91dbc1d1e016@proxmox.com> In-Reply-To: <82d71cc1-3b66-425f-a309-91dbc1d1e016@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL 0.018 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v2 00/11] ACL edit api and ui components X-BeenThere: pdm-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Datacenter Manager development discussion <pdm-devel.lists.proxmox.com> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pdm-devel>, <mailto:pdm-devel-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pdm-devel/> List-Post: <mailto:pdm-devel@lists.proxmox.com> List-Help: <mailto:pdm-devel-request@lists.proxmox.com?subject=help> List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel>, <mailto:pdm-devel-request@lists.proxmox.com?subject=subscribe> Reply-To: Proxmox Datacenter Manager development discussion <pdm-devel@lists.proxmox.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pdm-devel-bounces@lists.proxmox.com Sender: "pdm-devel" <pdm-devel-bounces@lists.proxmox.com> On Thu Apr 17, 2025 at 5:46 PM CEST, Thomas Lamprecht wrote: > Am 11.04.25 um 15:44 schrieb Shannon Sterz: >> this series aims to make more parts of our access control list >> implementation re-usable between products. in a first step most of the >> relevant api endpoints and api types are moved to >> `proxmox-access-control`. this is done by adding a new `api` feature >> that includes the necessary api endpoints. the `AccessControlConfig` >> trait is also expanded to make the api endpoints more adaptable to >> different products. by providing default implementations for the newly >> added trait functions existing users don't need to change anything. it >> also tries to make the code here easier to understand as the checks >> could be hard to grasp previously. >> >> next the series adds components to proxmox-yew-comp to provide a panel >> for inspecting the current acl and adding or removing entries. this is >> done by using the existing `RoleSelector` and `AuthidSelector` >> components. the later is also slightly adapted to make it possible to >> change the api endpoint that roles are fetched from as well as the >> default role. the `AclView` component allows users of the crate to add >> more options for adding ACL entries. meaning they can configure distinct >> components for adding user, token or group permissions. this is done in >> a generic fashion so that extending this menu does not require changing >> the component again. >> >> finally proxmox-datacenter-manager is adapted to use the new api >> endpoints in `proxmox-access-control` and a permissions panel is >> implemented. note that this would benefit from some clean-up once >> permission path and such are cleaned up. >> > > I double-checked, so I hope I did not just overlook it, but I could not > find any (higher level) changelog since v1, neither a series wide one > nor a per patch one. At least one would be really nice to have, and > having both is always great from a reviewer POV IMO. sorry yeah, a lot of the review here kind of happened off list and i forgot to add it in the end, let me add it here: - added a patch that refactors the top-level privilege checking logic for the acl endpoints to use `CachedUserInfo`'s `check_privs` and to allow for configuring partial permission matches per product. this ideally also makes the permission checks easier to understand (patch proxmox 5) - added a patch that refactors the `extract_acl_node_data` helper function to be non-recursive. this should improve the memory footprint of this function, especially when dealing with deeper trees (patch proxmox 6) hopefully this won't have cause to much trouble as both changes are part of their own additional patches. _______________________________________________ pdm-devel mailing list pdm-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel