From: "Shan Shaji" <s.shaji@proxmox.com>
To: "Lukas Wagner" <l.wagner@proxmox.com>,
"Proxmox Datacenter Manager development discussion"
<pdm-devel@lists.proxmox.com>
Subject: Re: [pdm-devel] [PATCH datacenter-manager v2 1/3] fix #6901: api: add explicit permission check for controllers list
Date: Tue, 04 Nov 2025 10:30:38 +0100 [thread overview]
Message-ID: <DDZT08HGICXP.2OH04YZPIY5WB@proxmox.com> (raw)
In-Reply-To: <DDZ3OZ50UC8O.2KTUK1NRJ7MN@proxmox.com>
On Mon Nov 3, 2025 at 2:40 PM CET, Lukas Wagner wrote:
> Hi Shan, thanks a lot for the patch!
>
> One comment inline, apart from that it looks good to me.
>
> On Fri Oct 17, 2025 at 3:02 PM CEST, Shan Shaji wrote:
>> When a non-root user tried to access the EVPN section, the API was
>> throwing "403: permission check failed" error. To fix this, add
>> explicit permission check for the `/controller` endpoint.
>>
>> Now every authenticated user can access the endpoint however, the user
>> needs to have at least `Resource.Audit` permission under `/resource`.
>> Only the controllers from remotes which the user has `Resource.Audit`
>> privilege on `/remote/{remote_name}` will be included in the returned
>> list.
>>
>> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
>> ---
>> server/src/api/sdn/controllers.rs | 30 ++++++++++++++++++++++++++----
>> 1 file changed, 26 insertions(+), 4 deletions(-)
>>
>> diff --git a/server/src/api/sdn/controllers.rs b/server/src/api/sdn/controllers.rs
>> index 271397a..649d668 100644
>> --- a/server/src/api/sdn/controllers.rs
>> +++ b/server/src/api/sdn/controllers.rs
>> @@ -1,10 +1,11 @@
>> use std::collections::HashSet;
>>
>> -use anyhow::Error;
>> +use anyhow::{format_err, Error};
>>
>> use pbs_api_types::REMOTE_ID_SCHEMA;
>> -use pdm_api_types::{remotes::RemoteType, sdn::ListController};
>> -use proxmox_router::Router;
>> +use pdm_api_types::{remotes::RemoteType, sdn::ListController, Authid, PRIV_RESOURCE_AUDIT};
>> +use proxmox_access_control::CachedUserInfo;
>> +use proxmox_router::{http_bail, Permission, Router, RpcEnvironment};
>> use proxmox_schema::api;
>> use pve_api_types::ListControllersType;
>>
>> @@ -49,6 +50,12 @@ pub const ROUTER: Router = Router::new().get(&API_METHOD_LIST_CONTROLLERS);
>> type: ListController,
>> },
>> },
>> + access: {
>> + permission: &Permission::Anybody,
>> + description: "The user needs to have at least the `Resource.Audit` privilege under `/resource`.
>> + Only controllers from remotes for which the user has `Resource.Audit` on `/remote/{remote_name}`
>
> I think there is a typo here, as far as I can tell the ACL path should
> be /resource/{remote_name}? Also applies to the other two patches.
Hi Lukas, Thank you so much for the review. I will send an updated patch.
>
>> + will be included in the returned list."
>> + }
>> )]
>> /// Query controllers of remotes with optional filtering options
>> pub async fn list_controllers(
>> @@ -56,10 +63,25 @@ pub async fn list_controllers(
>> running: Option<bool>,
>> ty: Option<ListControllersType>,
>> remotes: Option<HashSet<String>>,
>> + rpcenv: &mut dyn RpcEnvironment,
>> ) -> Result<Vec<ListController>, Error> {
>> + let user_info = CachedUserInfo::new()?;
>> +
>> + let auth_id: Authid = rpcenv
>> + .get_auth_id()
>> + .ok_or_else(|| format_err!("no authid available"))?
>> + .parse()?;
>> +
>> + if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? {
>> + http_bail!(FORBIDDEN, "user has no access to resources");
>> + }
>> +
>> let (remote_config, _) = pdm_config::remotes::config()?;
>> + let authorized_remotes = remote_config.into_iter().filter(|(remote_name, _)| {
>> + user_info.lookup_privs(&auth_id, &["resource", &remote_name]) & PRIV_RESOURCE_AUDIT != 0
>> + });
>>
>> - let filtered_remotes = remote_config.into_iter().filter_map(|(_, remote)| {
>> + let filtered_remotes = authorized_remotes.filter_map(|(_, remote)| {
>> if remote.ty == RemoteType::Pve
>> && remotes
>> .as_ref()
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply other threads:[~2025-11-04 9:30 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-17 13:02 [pdm-devel] [PATCH datacenter-manager v2 0/3] fix #6901: allow non root users to access the EVPN dashboard Shan Shaji
2025-10-17 13:02 ` [pdm-devel] [PATCH datacenter-manager v2 1/3] fix #6901: api: add explicit permission check for controllers list Shan Shaji
2025-11-03 13:40 ` Lukas Wagner
2025-11-04 9:30 ` Shan Shaji [this message]
2025-11-04 10:19 ` Shan Shaji
2025-10-17 13:02 ` [pdm-devel] [PATCH datacenter-manager v2 2/3] fix #6901: api: add explicit permission check for vnets list Shan Shaji
2025-10-17 13:02 ` [pdm-devel] [PATCH datacenter-manager v2 3/3] fix #6901: api: add explicit permission check for zones list Shan Shaji
2025-10-29 16:53 ` [pdm-devel] [PATCH datacenter-manager v2 0/3] fix #6901: allow non root users to access the EVPN dashboard Shan Shaji
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DDZT08HGICXP.2OH04YZPIY5WB@proxmox.com \
--to=s.shaji@proxmox.com \
--cc=l.wagner@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox