From: "Shan Shaji" <s.shaji@proxmox.com>
To: "Stefan Hanreich" <s.hanreich@proxmox.com>,
"Proxmox Datacenter Manager development discussion"
<pdm-devel@lists.proxmox.com>
Subject: Re: [pdm-devel] [PATCH datacenter-manager 2/3] fix #6901: api: add explicit permission check for vnets list
Date: Fri, 17 Oct 2025 13:45:08 +0200 [thread overview]
Message-ID: <DDKKLEN8X00H.2NRX849YMMDQV@proxmox.com> (raw)
In-Reply-To: <52b7cfb5-83bf-4717-b93d-14f5e013aa99@proxmox.com>
On Wed Oct 15, 2025 at 5:20 PM CEST, Stefan Hanreich wrote:
> On 10/14/25 5:03 PM, Shan Shaji wrote:
>> When a non-root user tried to access the EVPN section, the API was
>> throwing "403: permission check failed" error. To fix this, add
>> explicit permission check for the `/vnets` endpoint.
>>
>> Now every authenticated user can access the endpoint however, the user
>> needs to have at least `Resource.Audit` permission under `/resource`.
>> Only the vnets from remotes which the user has `Resource.Audit`
>> privilege on `/remote/{remote_name}` will be included in the returned
>> list.
>>
>> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
>> ---
>> server/src/api/sdn/vnets.rs | 29 ++++++++++++++++++++++++++---
>> 1 file changed, 26 insertions(+), 3 deletions(-)
>>
>> diff --git a/server/src/api/sdn/vnets.rs b/server/src/api/sdn/vnets.rs
>> index a8092cf..a2dfdb4 100644
>> --- a/server/src/api/sdn/vnets.rs
>> +++ b/server/src/api/sdn/vnets.rs
>> @@ -1,3 +1,4 @@
>> +use core::option::Option::Some;
>
> unneeded import?
Thanks for catching that. Will send and updated patch.
>> use std::collections::HashSet;
>>
>> use anyhow::{format_err, Error};
>> @@ -5,10 +6,11 @@ use pbs_api_types::REMOTE_ID_SCHEMA;
>> use pdm_api_types::{
>> remotes::RemoteType,
>> sdn::{CreateVnetRemote, ListVnet, SDN_ID_SCHEMA, VXLAN_ID_SCHEMA},
>> - Authid,
>> + Authid, PRIV_RESOURCE_AUDIT,
>> };
>> +use proxmox_access_control::CachedUserInfo;
>> use proxmox_rest_server::WorkerTask;
>> -use proxmox_router::{Router, RpcEnvironment};
>> +use proxmox_router::{http_bail, Permission, Router, RpcEnvironment};
>> use proxmox_schema::api;
>> use pve_api_types::{CreateVnet, SdnVnetType};
>>
>> @@ -52,16 +54,37 @@ pub const ROUTER: Router = Router::new()
>> type: ListVnet,
>> },
>> },
>> + access: {
>> + permission: &Permission::Anybody,
>> + description: "The user needs to have at least the `Resource.Audit` privilege under `/resource`.
>> + Only vnets from remotes for which the user has `Resource.Audit` on `/remote/{remote_name}`
>> + will be included in the returned list."
>> + }
>> )]
>> /// Query VNets of PVE remotes with optional filtering options
>> async fn list_vnets(
>> pending: Option<bool>,
>> running: Option<bool>,
>> remotes: Option<HashSet<String>>,
>> + rpcenv: &mut dyn RpcEnvironment,
>> ) -> Result<Vec<ListVnet>, Error> {
>> + let user_info = CachedUserInfo::new()?;
>> +
>> + let auth_id: Authid = rpcenv
>> + .get_auth_id()
>> + .ok_or_else(|| format_err!("no authid available"))?
>> + .parse()?;
>> +
>> + if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? {
>> + http_bail!(FORBIDDEN, "user has no access to resources");
>
> we use UNAUTHORIZED instead of FORBIDDEN in other places, so imo would
> be better to do that here too - same for the other 2 patches as well.
>
>> + }
>> +
>> let (remote_config, _) = pdm_config::remotes::config()?;
>> + let authorized_remotes = remote_config.into_iter().filter(|(remote_name, _)| {
>> + user_info.lookup_privs(&auth_id, &["resource", &remote_name]) & PRIV_RESOURCE_AUDIT != 0
>> + });
>>
>> - let filtered_remotes = remote_config.into_iter().filter_map(|(_, remote)| {
>> + let filtered_remotes = authorized_remotes.filter_map(|(_, remote)| {
>> if remote.ty == RemoteType::Pve
>> && remotes
>> .as_ref()
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply other threads:[~2025-10-17 11:44 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-14 15:03 [pdm-devel] [PATCH datacenter-manager 0/3] fix #6901: allow non root users to access the EVPN dashboard Shan Shaji
2025-10-14 15:03 ` [pdm-devel] [PATCH datacenter-manager 1/3] fix #6901: api: add explicit permission check for controllers list Shan Shaji
2025-10-14 15:03 ` [pdm-devel] [PATCH datacenter-manager 2/3] fix #6901: api: add explicit permission check for vnets list Shan Shaji
2025-10-15 15:20 ` Stefan Hanreich
2025-10-16 8:12 ` Shannon Sterz
2025-10-16 9:24 ` Stefan Hanreich
2025-10-17 11:45 ` Shan Shaji [this message]
2025-10-17 13:05 ` Shan Shaji
2025-10-14 15:03 ` [pdm-devel] [PATCH datacenter-manager 3/3] fix #6901: api: add explicit permission check for zones list Shan Shaji
2025-10-15 15:26 ` [pdm-devel] [PATCH datacenter-manager 0/3] fix #6901: allow non root users to access the EVPN dashboard Stefan Hanreich
2025-10-17 11:44 ` Shan Shaji
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DDKKLEN8X00H.2NRX849YMMDQV@proxmox.com \
--to=s.shaji@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
--cc=s.hanreich@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox