From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
Cc: Proxmox Datacenter Manager development discussion
<pdm-devel@lists.proxmox.com>
Subject: Re: [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v3 00/10] add support for checking acl permissions in (yew) front-ends
Date: Thu, 13 Nov 2025 15:27:04 +0100 [thread overview]
Message-ID: <DE7MY3S088X9.1DRNLWXDND6BX@proxmox.com> (raw)
In-Reply-To: <1763041798.famz3bfta9.astroid@yuna.none>
On Thu Nov 13, 2025 at 2:58 PM CET, Fabian Grünbichler wrote:
> On November 6, 2025 3:38 pm, Shannon Sterz wrote:
>> this patch series adds support for querying acl entries from the
>> front-end. it also makes it possible to reactively render ui components
>> depending on the user's privileges and refreshes this information every
>> time a new ticket is set.
>>
>> the first four patches make it possible to use the AclTree by itself in
>> the ui. first by creating a new feature that exposes only it and some
>> types to dependent crates. then some functions that basically just query
>> the AclTree are moved to the AclTree itself to make it easier to re-use
>> them. the fourth patch derives Debug and PartialEq on the AclTree and
>> AclTreeNode to make it easier to handle these types in the ui. finally
>> the last commit allows to query all of a user's acl entries via the
>> API_METHOD_READ_ACL endpoint.
>
> high-level question:
>
> the actual privilege checks in the backend use the full set of ACLs. the
> frontend can only ever see a subset of ACLs, since giving it all ACLs
> would leak a lot of sensitive information.
>
> doesn't that mean that the frontend will make wrong decisions in some
> scenarios?
>
> e.g., the backend currently doesn't return any group ACLs if you do
> exact filtering. but group ACLs can influence the ACL resolution
as discussed off list, that'd be true if the filter in
`extract_acl_node_data` isn't adapted. i'll add a fixme comment to the
next version of this series for now.
how exactely to takle this will depend on how we implement groups:
* does a user know that they are part of a group?
* if disclosing such membership is fine, is it fine to disclose what the
group has access to in all cases? e.g. what if the user is part of a
group, but certain acl entries are then restricted on top via a
NoAccess privilege or similar?
* will looking up whether the user is part of a group be handled by the
acl tree directly? (this is at least indicated by comments already
present in `AclTreeNode::extract_group_roles()`)
most of these are difficult to answer without actually tackling an
implementation of the group feature. not entirely sure how i can address
this here beside adding that `fixme` comment.
i suppose i could also try to extract the roles with `AclTree::roles`,
which extracts the roles via `AclTreeNode::extract_roles` which is
already somewhat opinionated about how groups should work here. not sure
what is ideal here.
>> the next two patches first add an AclContext and AclContextProvider
>> implementation to proxmox-yew-comp. these allow applications to provide
>> acl information that components can hook into and get reactively
>> re-rendered. it also triggers reloading the acl information every time a
>> user logs in or a ticket gets refreshed.
>>
>> lastly, proxmox-datacenter-manager is adapted to use this new
>> functionality. the seventh commit moves the AccessControlConfig to the
>> shared api types crate, so we can re-use it in the front-end. then an
>> AclContextProvider is added to the main ui component. this allows
>> components to retrieve said AclContext and use it to conditionally
>> render ui components. the last commit adds just such functionality to
>> the notes section of the pdm ui.
>>
>> Follow-up
>> ---------
>>
>> if this series is applied, more ui components will need to be hooked
>> into the context to more widely use this functionality accross the
>> application.
>>
>> Changelog
>> ---------
>>
>> note that there was already a v2 [1] of this series, but this was a mistake
>> and should be considered a v1. sorry for the confusion.
>>
>> changes since v2:
>>
>> - combine impl only functions into private modules and impl blocks to
>> more cleanly separate them out (thanks @ Wolfgang Bumiller)
>> - add a small clean up commit for in-lining format string variables
>>
>> changes since v1:
>>
>> - move removing a use line to the right commit (thanks @ Dominik Csapak)
>> - instead of adapting the NodesView, simply avoid setting an on_submit
>> callback if the user doesn't have the permissions (thanks @ Dominik
>> Csapak)
>>
>>
>> proxmox:
>>
>> Shannon Sterz (5):
>> access-control: add acl feature to only expose types and the AclTree
>> access-control: use format strings where possible
>> access-control: move functions querying privileges to the AclTree
>> access-control: derive Debug and PartialEq on AclTree and AclTreeNode
>> access-control: allow reading all acls of the current authid
>>
>> proxmox-access-control/Cargo.toml | 5 +-
>> proxmox-access-control/src/acl.rs | 509 +++++++++++-------
>> proxmox-access-control/src/api/acl.rs | 37 +-
>> .../src/cached_user_info.rs | 91 +---
>> proxmox-access-control/src/init.rs | 91 ++--
>> proxmox-access-control/src/lib.rs | 4 +-
>> proxmox-access-control/src/token_shadow.rs | 2 +-
>> proxmox-access-control/src/user.rs | 3 +-
>> 8 files changed, 415 insertions(+), 327 deletions(-)
>>
>>
>> proxmox-yew-comp:
>>
>> Shannon Sterz (2):
>> acl_context: add AclContext and AclContextProvider
>> http_helpers: reload LocalAclTree when logging in or refreshing a
>> ticket
>>
>> Cargo.toml | 2 +-
>> src/acl_context.rs | 204 ++++++++++++++++++++++++++++++++++++++++++++
>> src/http_helpers.rs | 5 ++
>> src/lib.rs | 3 +
>> 4 files changed, 213 insertions(+), 1 deletion(-)
>> create mode 100644 src/acl_context.rs
>>
>>
>> proxmox-datacenter-manager:
>>
>> Shannon Sterz (3):
>> server/api-types: move AccessControlConfig to shared api types
>> ui: add an AclContext via the AclContextProvider to the main app ui
>> ui: main menu: use the AclContext to hide the Notes if appropriate
>>
>> lib/pdm-api-types/Cargo.toml | 1 +
>> lib/pdm-api-types/src/acl.rs | 158 ++++++++++++++++++++++++++++++++++
>> server/src/acl.rs | 162 +----------------------------------
>> ui/Cargo.toml | 1 +
>> ui/src/main.rs | 14 ++-
>> ui/src/main_menu.rs | 68 ++++++++++-----
>> 6 files changed, 221 insertions(+), 183 deletions(-)
>>
>>
>> Summary over all repositories:
>> 18 files changed, 849 insertions(+), 511 deletions(-)
>>
>> --
>> Generated by git-murpp 0.8.1
>>
>>
>> _______________________________________________
>> pdm-devel mailing list
>> pdm-devel@lists.proxmox.com
>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
>>
>>
>>
>
>
> _______________________________________________
> pdm-devel mailing list
> pdm-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
next prev parent reply other threads:[~2025-11-13 14:26 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-06 14:38 Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH proxmox v3 1/5] access-control: add acl feature to only expose types and the AclTree Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH proxmox v3 2/5] access-control: use format strings where possible Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH proxmox v3 3/5] access-control: move functions querying privileges to the AclTree Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH proxmox v3 4/5] access-control: derive Debug and PartialEq on AclTree and AclTreeNode Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH proxmox v3 5/5] access-control: allow reading all acls of the current authid Shannon Sterz
2025-11-13 10:23 ` Lukas Wagner
2025-11-06 14:38 ` [pdm-devel] [PATCH yew-comp v3 1/2] acl_context: add AclContext and AclContextProvider Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH yew-comp v3 2/2] http_helpers: reload LocalAclTree when logging in or refreshing a ticket Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH datacenter-manager v3 1/3] server/api-types: move AccessControlConfig to shared api types Shannon Sterz
2025-11-13 10:15 ` Lukas Wagner
2025-11-13 10:23 ` Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH datacenter-manager v3 2/3] ui: add an AclContext via the AclContextProvider to the main app ui Shannon Sterz
2025-11-06 14:38 ` [pdm-devel] [PATCH datacenter-manager v3 3/3] ui: main menu: use the AclContext to hide the Notes if appropriate Shannon Sterz
2025-11-13 10:21 ` [pdm-devel] [PATCH datacenter-manager/proxmox/yew-comp v3 00/10] add support for checking acl permissions in (yew) front-ends Lukas Wagner
2025-11-13 10:26 ` Shannon Sterz
2025-11-13 13:58 ` Fabian Grünbichler
2025-11-13 14:27 ` Shannon Sterz [this message]
2025-11-13 16:18 ` Thomas Lamprecht
2025-11-13 16:39 ` Shannon Sterz
2025-11-13 17:06 ` Thomas Lamprecht
2025-11-14 14:44 ` [pdm-devel] Superseded: " Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DE7MY3S088X9.1DRNLWXDND6BX@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=f.gruenbichler@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox