From: "Lukas Wagner" <l.wagner@proxmox.com>
To: "Shan Shaji" <s.shaji@proxmox.com>, <pdm-devel@lists.proxmox.com>
Subject: Re: [RFC PATCH datacenter-manager 3/3] ui: acl: list granular level permission paths for resources
Date: Fri, 27 Mar 2026 11:21:23 +0100 [thread overview]
Message-ID: <DHDHMZQK1YCR.71QSRC369M9C@proxmox.com> (raw)
In-Reply-To: <20260325153535.286380-4-s.shaji@proxmox.com>
On Wed Mar 25, 2026 at 4:35 PM CET, Shan Shaji wrote:
> previously, users were not able to assign permissions to specific
> resources. Resolved this by listing the resources Ids and extending the
> permission paths to include specific resource paths.
>
> Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
> ---
> lib/pdm-api-types/src/acl.rs | 3 +-
> .../configuration/permission_path_selector.rs | 47 ++++++++++++++++++-
> 2 files changed, 48 insertions(+), 2 deletions(-)
>
> diff --git a/lib/pdm-api-types/src/acl.rs b/lib/pdm-api-types/src/acl.rs
> index 405982a..825fd6b 100644
> --- a/lib/pdm-api-types/src/acl.rs
> +++ b/lib/pdm-api-types/src/acl.rs
> @@ -280,9 +280,10 @@ impl proxmox_access_control::init::AccessControlConfig for AccessControlConfig {
> if components_len <= 2 {
> return Ok(());
> }
> +
> // `/resource/{remote-id}/{resource-type=guest,storage}/{resource-id}`
> match components[2] {
> - "guest" | "storage" => {
> + "guest" | "storage" | "datastore" | "node" => {
> // /resource/{remote-id}/{resource-type}
> // /resource/{remote-id}/{resource-type}/{resource-id}
> if components_len <= 4 {
Looks correct to me (quickly double-checked the code base), but as
Shannon already mentioned, this should be its own patch.
> diff --git a/ui/src/configuration/permission_path_selector.rs b/ui/src/configuration/permission_path_selector.rs
> index a0fec86..899fa05 100644
> --- a/ui/src/configuration/permission_path_selector.rs
> +++ b/ui/src/configuration/permission_path_selector.rs
> @@ -9,6 +9,7 @@ use pwt::{prelude::*, AsyncPool};
> use pwt_macros::{builder, widget};
>
> use crate::pdm_client;
> +use pdm_api_types::resource::ResourceType;
>
> static PREDEFINED_PATHS: &[&str] = &[
> "/",
> @@ -67,8 +68,52 @@ impl PdmPermissionPathSelector {
> Ok(paths)
> }
>
> + async fn get_resource_paths() -> Result<Vec<String>, Error> {
> + let resources = pdm_client().resources(None, None).await?;
> + let resource_paths: Vec<String> = resources
> + .into_iter()
> + .flat_map(|remote| {
> + let remote_name = remote.remote;
> +
> + let mut base_paths = vec![remote_name.clone(), format!("{remote_name}/node")];
> + let is_pve = remote.resources.iter().any(|r| {
> + matches!(
> + r.resource_type(),
> + ResourceType::PveQemu | ResourceType::PveLxc
> + )
> + });
> +
> + if is_pve {
> + base_paths.push(format!("{remote_name}/guest"));
> + }
> +
> + let resource_ids =
> + remote.resources.into_iter().filter_map(|resource| {
> + match resource.resource_type() {
> + ResourceType::PveLxc
> + | ResourceType::PveQemu
> + | ResourceType::Node
> + | ResourceType::PbsDatastore => resource
> + .global_id()
> + .strip_prefix("remote/")
> + .map(str::to_owned),
> + _ => None,
> + }
> + });
> +
> + base_paths.into_iter().chain(resource_ids)
> + })
> + .map(|v| format!("{}{v}", "/resource/"))
> + .collect();
> + Ok(resource_paths)
> + }
> +
I don't think we should pre-populate the ACL path selector with *all*
possible resource ACL paths. If you have a big setup with a large number
of remotes/resources, the list can quickly have thousands of entries.
While the performance seemed acceptable in my first test with roughly
6000 resources (which still is not *that* of a large setup), I don't
think having such a huge list of options is a good experience for the
user.
I think it might be best to just add entries for each remote (so
/resource/<remote>) for now.
If we ever want to provide more granularity, I think we need a smarter
approach for selecting/narrowing down on the ACL object in this dialog.
> async fn get_paths() -> Result<Vec<String>, Error> {
> - let paths = Self::get_view_paths().await?;
> + let mut paths = Self::get_view_paths().await?;
> + let mut resource_paths = Self::get_resource_paths().await?;
> +
> + paths.append(&mut resource_paths);
> +
> Ok(paths)
> }
> }
next prev parent reply other threads:[~2026-03-27 10:21 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-25 15:35 [RFC PATCH datacenter-manager 0/3] ui: acl: pre-populate permission path selector Shan Shaji
2026-03-25 15:35 ` [RFC PATCH datacenter-manager 1/3] pdm-client: add `list_views` function to fetch views list Shan Shaji
2026-03-25 15:35 ` [RFC PATCH datacenter-manager 2/3] ui: acl: list granular level permission paths for views Shan Shaji
2026-03-26 11:16 ` Shannon Sterz
2026-03-25 15:35 ` [RFC PATCH datacenter-manager 3/3] ui: acl: list granular level permission paths for resources Shan Shaji
2026-03-26 11:16 ` Shannon Sterz
2026-03-26 13:58 ` Shan Shaji
2026-03-27 10:21 ` Lukas Wagner [this message]
2026-03-30 9:07 ` Shan Shaji
2026-03-31 9:59 ` Shan Shaji
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DHDHMZQK1YCR.71QSRC369M9C@proxmox.com \
--to=l.wagner@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
--cc=s.shaji@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox