public inbox for pdm-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: "Lukas Wagner" <l.wagner@proxmox.com>
To: "Proxmox Datacenter Manager development discussion"
	<pdm-devel@lists.proxmox.com>,
	"Michael Köppl" <m.koeppl@proxmox.com>
Subject: Re: [pdm-devel] [PATCH datacenter-manager v3 05/11] api: resources: list: add support for view parameter
Date: Wed, 12 Nov 2025 11:14:03 +0100	[thread overview]
Message-ID: <DE6MXTQ9AXDI.MANQKHRLKDDZ@proxmox.com> (raw)
In-Reply-To: <DE5XSHFHJQSF.1W6ZJOGDMED44@proxmox.com>

On Tue Nov 11, 2025 at 3:31 PM CET, Michael Köppl wrote:
> 2 comments inline
>
> On Thu Nov 6, 2025 at 2:43 PM CET, Lukas Wagner wrote:
>> A view allows one to get filtered subset of all resources, based on
>> filter rules defined in a config file. View integrate with the
>> permission system - if a user has permissions on /view/{view-id}, then
>> these privileges are transitively applied to all resources which are
>> matched by the rules. All other permission checks are replaced if
>> requesting data through a view.
>>
>> Signed-off-by: Lukas Wagner <l.wagner@proxmox.com>
>> ---
>>  server/src/api/resources.rs  | 56 ++++++++++++++++++++++++++++++------
>>  server/src/resource_cache.rs |  3 +-
>>  2 files changed, 50 insertions(+), 9 deletions(-)
>>
>> diff --git a/server/src/api/resources.rs b/server/src/api/resources.rs
>> index dad3e6b6..1b3bfda2 100644
>> --- a/server/src/api/resources.rs
>> +++ b/server/src/api/resources.rs
>> @@ -18,7 +18,7 @@ use pdm_api_types::resource::{
>>  use pdm_api_types::subscription::{
>>      NodeSubscriptionInfo, RemoteSubscriptionState, RemoteSubscriptions, SubscriptionLevel,
>>  };
>> -use pdm_api_types::{Authid, PRIV_RESOURCE_AUDIT};
>> +use pdm_api_types::{Authid, PRIV_RESOURCE_AUDIT, VIEW_ID_SCHEMA};
>>  use pdm_search::{Search, SearchTerm};
>>  use proxmox_access_control::CachedUserInfo;
>>  use proxmox_router::{
>> @@ -30,8 +30,8 @@ use proxmox_sortable_macro::sortable;
>>  use proxmox_subscription::SubscriptionStatus;
>>  use pve_api_types::{ClusterResource, ClusterResourceType};
>>  
>> -use crate::connection;
>>  use crate::metric_collection::top_entities;
>> +use crate::{connection, views};
>>  
>>  pub const ROUTER: Router = Router::new()
>>      .get(&list_subdirs_api_method!(SUBDIRS))
>> @@ -221,6 +221,10 @@ impl From<RemoteWithResources> for RemoteResources {
>>                  type: ResourceType,
>>                  optional: true,
>>              },
>> +            view: {
>> +                schema: VIEW_ID_SCHEMA,
>> +                optional: true,
>> +            },
>>          }
>>      },
>>      returns: {
>> @@ -236,10 +240,17 @@ pub async fn get_resources(
>>      max_age: u64,
>>      resource_type: Option<ResourceType>,
>>      search: Option<String>,
>> +    view: Option<String>,
>>      rpcenv: &mut dyn RpcEnvironment,
>>  ) -> Result<Vec<RemoteResources>, Error> {
>> -    let remotes_with_resources =
>> -        get_resources_impl(max_age, search, resource_type, Some(rpcenv)).await?;
>> +    let remotes_with_resources = get_resources_impl(
>> +        max_age,
>> +        search,
>> +        resource_type,
>> +        view.as_deref(),
>> +        Some(rpcenv),
>> +    )
>> +    .await?;
>>      let resources = remotes_with_resources.into_iter().map(Into::into).collect();
>>      Ok(resources)
>>  }
>> @@ -276,6 +287,7 @@ pub(crate) async fn get_resources_impl(
>>      max_age: u64,
>>      search: Option<String>,
>>      resource_type: Option<ResourceType>,
>> +    view: Option<&str>,
>>      rpcenv: Option<&mut dyn RpcEnvironment>,
>>  ) -> Result<Vec<RemoteWithResources>, Error> {
>>      let user_info = CachedUserInfo::new()?;
>> @@ -285,9 +297,15 @@ pub(crate) async fn get_resources_impl(
>>              .get_auth_id()
>>              .ok_or_else(|| format_err!("no authid available"))?
>>              .parse()?;
>> -        if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? {
>> +
>> +        // NOTE: Assumption is that the regular permission check is completely replaced by a check
>> +        // on the view ACL object *if* a view parameter is passed.
>> +        if let Some(view) = &view {
>> +            user_info.check_privs(&auth_id, &["view", view], PRIV_RESOURCE_AUDIT, false)?;
>> +        } else if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? {
>>              http_bail!(FORBIDDEN, "user has no access to resources");
>>          }
>> +
>>          opt_auth_id = Some(auth_id);
>>      }
>>  
>> @@ -296,12 +314,22 @@ pub(crate) async fn get_resources_impl(
>>  
>>      let filters = search.map(Search::from).unwrap_or_default();
>>  
>> +    let view = views::get_optional_view(view.as_deref())?;
>
> Is this .as_deref() needed? `view` already is a Option<&str>.
>

Good catch!

>> +
>>      let remotes_only = is_remotes_only(&filters);
>>  
>>      for (remote_name, remote) in remotes_config {
>>          if let Some(ref auth_id) = opt_auth_id {
>> -            let remote_privs = user_info.lookup_privs(auth_id, &["resource", &remote_name]);
>> -            if remote_privs & PRIV_RESOURCE_AUDIT == 0 {
>> +            if view.is_none() {
>> +                let remote_privs = user_info.lookup_privs(auth_id, &["resource", &remote_name]);
>> +                if remote_privs & PRIV_RESOURCE_AUDIT == 0 {
>> +                    continue;
>> +                }
>> +            }
>> +        }
>> +
>> +        if let Some(view) = &view {
>> +            if view.can_skip_remote(&remote_name) {
>>                  continue;
>>              }
>>          }
>
> Wouldn't it make more sense to switch the two if-blocks above?
>
>     if let Some(view) = &view {
>         if view.can_skip_remote(&remote_name) {
>             continue;
>         }
>     }
>
>     if let Some(ref auth_id) = opt_auth_id {
>         if view.is_none() {
>             let remote_privs = user_info.lookup_privs(auth_id, &["resource", &remote_name]);
>             if remote_privs & PRIV_RESOURCE_AUDIT == 0 {
>                 continue;
>             }
>         }
>     }
>
> Then view filtering takes precedence over checking the permissions, same
> as in get_subscription_status. Might be that I'm misinterpreting this,
> though.
>

I think the order does not really make a difference, no? Sine the
regular check is gated by the `if view.is_none()`.

Anyways, I changed it to the following, since it is a bit nicer to read:

        if let Some(view) = &view {
            if view.can_skip_remote(&remote_name) {
                continue;
            }
        } else if let Some(ref auth_id) = opt_auth_id {
            let remote_privs = user_info.lookup_privs(auth_id, &["resource", &remote_name]);
            if remote_privs & PRIV_RESOURCE_AUDIT == 0 {
                continue;
            }
        }





_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel

  reply	other threads:[~2025-11-12 10:13 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-06 13:43 [pdm-devel] [PATCH datacenter-manager v3 00/11] backend implementation for view filters Lukas Wagner
2025-11-06 13:43 ` [pdm-devel] [PATCH datacenter-manager v3 01/11] pdm-api-types: views: add ViewConfig type Lukas Wagner
2025-11-11 10:57   ` Michael Köppl
2025-11-12 10:04     ` Lukas Wagner
2025-11-11 10:58   ` Michael Köppl
2025-11-12 10:05     ` Lukas Wagner
2025-11-06 13:43 ` [pdm-devel] [PATCH datacenter-manager v3 02/11] pdm-config: views: add support for views Lukas Wagner
2025-11-06 13:43 ` [pdm-devel] [PATCH datacenter-manager v3 03/11] acl: add '/view' and '/view/{view-id}' as allowed ACL paths Lukas Wagner
2025-11-06 13:43 ` [pdm-devel] [PATCH datacenter-manager v3 04/11] views: add implementation for view resource filtering Lukas Wagner
2025-11-06 13:43 ` [pdm-devel] [PATCH datacenter-manager v3 05/11] api: resources: list: add support for view parameter Lukas Wagner
2025-11-11 14:31   ` Michael Köppl
2025-11-12 10:14     ` Lukas Wagner [this message]
2025-11-06 13:43 ` [pdm-devel] [PATCH datacenter-manager v3 06/11] api: resources: top entities: " Lukas Wagner
2025-11-06 13:43 ` [pdm-devel] [PATCH datacenter-manager v3 07/11] api: resources: status: " Lukas Wagner
2025-11-06 13:43 ` [pdm-devel] [PATCH datacenter-manager v3 08/11] api: subscription " Lukas Wagner
2025-11-11 14:46   ` Michael Köppl
2025-11-12  8:19     ` Shannon Sterz
2025-11-12 10:26       ` Lukas Wagner
2025-11-06 13:43 ` [pdm-devel] [PATCH datacenter-manager v3 09/11] api: remote-tasks: " Lukas Wagner
2025-11-06 13:43 ` [pdm-devel] [PATCH datacenter-manager v3 10/11] pdm-client: resource list: add view-filter parameter Lukas Wagner
2025-11-06 13:43 ` [pdm-devel] [PATCH datacenter-manager v3 11/11] pdm-client: top entities: " Lukas Wagner
2025-11-11 15:00 ` [pdm-devel] [PATCH datacenter-manager v3 00/11] backend implementation for view filters Michael Köppl
2025-11-12 10:37 ` [pdm-devel] superseded: " Lukas Wagner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DE6MXTQ9AXDI.MANQKHRLKDDZ@proxmox.com \
    --to=l.wagner@proxmox.com \
    --cc=m.koeppl@proxmox.com \
    --cc=pdm-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal