From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id BC0D688C3 for ; Wed, 16 Nov 2022 10:32:28 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9861D1CD32 for ; Wed, 16 Nov 2022 10:31:58 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 16 Nov 2022 10:31:57 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id A319E44B55 for ; Wed, 16 Nov 2022 10:31:57 +0100 (CET) Date: Wed, 16 Nov 2022 10:31:50 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Dominik Csapak , Proxmox VE development discussion , Thomas Lamprecht References: <20221115130248.1007325-1-d.csapak@proxmox.com> <20221115130248.1007325-5-d.csapak@proxmox.com> <1668524410.yomu90q6hb.astroid@yuna.none> <895c5e1e-4de0-19fe-91a0-f604cc451be8@proxmox.com> <7cfca64a-2ab1-405a-fde1-1f4f14e043b8@proxmox.com> In-Reply-To: <7cfca64a-2ab1-405a-fde1-1f4f14e043b8@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid) Message-Id: <1668590513.dxe50wm4po.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: =?UTF-8?Q?0=0A=09?=AWL 0.139 Adjusted score from AWL reputation of From: =?UTF-8?Q?address=0A=09?=BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict =?UTF-8?Q?Alignment=0A=09?=SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF =?UTF-8?Q?Record=0A=09?=SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH cluster v10 4/5] datacenter.cfg: add tag rights control to the datacenter config X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2022 09:32:28 -0000 On November 16, 2022 10:10 am, Thomas Lamprecht wrote: > Am 16/11/2022 um 10:04 schrieb Dominik Csapak: >> On 11/16/22 09:54, Thomas Lamprecht wrote: >>> Am 16/11/2022 um 09:47 schrieb Dominik Csapak: >>>>> I=C2=A0am=C2=A0not=C2=A0sure=C2=A0the=C2=A0second=C2=A0sentence=C2=A0= is=C2=A0necessary,=C2=A0or=C2=A0rather,=C2=A0wouldn't=C2=A0it=C2=A0be=C2=A0= better >>>>> to=C2=A0make=C2=A0the=C2=A0two=C2=A0lists=C2=A0mutually=C2=A0exclusiv= e?=C2=A0e.g.,=C2=A0by=C2=A0removing=C2=A0privileged=C2=A0tags=C2=A0from >>>>> the=C2=A0other=C2=A0list? >>>> >>>> i=C2=A0don't=C2=A0really=C2=A0want=C2=A0to=C2=A0auto=C2=A0remove=C2=A0= stuff=C2=A0from=C2=A0one=C2=A0option=C2=A0when=C2=A0set=C2=A0on=C2=A0anothe= r. >>>> maybe=C2=A0it'd=C2=A0make=C2=A0more=C2=A0sense=C2=A0if=C2=A0we=C2=A0do= n't=C2=A0allow=C2=A0setting=C2=A0and=C2=A0admin=C2=A0tag=C2=A0when >>>> it's=C2=A0already=C2=A0set=C2=A0in=C2=A0the=C2=A0'user-allow-list'=C2= =A0and=C2=A0vice=C2=A0versa?=C2=A0then >>>> there=C2=A0cannot=C2=A0be=C2=A0a=C2=A0situation=C2=A0where=C2=A0a=C2= =A0tag=C2=A0is=C2=A0in=C2=A0both=C2=A0lists=C2=A0at=C2=A0the=C2=A0same=C2= =A0time? >>>> >>> >>> >>> Limits use cases, as we'll only ever allow priv'd tags to be used for t= hings >>> like backup job guest-source selection, and there may be scenarios wher= e an >>> admin wants to allow the user to set a specific privileged tags in the = VMs >>> they control. >>> >>> To make that work we'd: >>> - explicitly allow such listed tags for "normal" VM users even if they'= re in the >>> =C2=A0=C2=A0 privileged-tags (that's why I used the term "registered" i= n previous comments, >>> =C2=A0=C2=A0 might be better suited if we deem that privileged is then = confusing) >>> >>> - highlight the fact if a tag is in both >>> >>=20 >> ok, then i have to change the permission checking code (currently i forb= id >> 'normal' users the tag if it was in the 'privileged-tags' section, regar= dless >> =C2=A0if it was in the 'user-allow-list' or not) >=20 > maybe wait on Fabian's opinion on that, I don't want to push this to stro= ngly > but can imagine that it might be sensible and useful, and hard to change = later. If we say vzdump should only use privileged tags for backup inclusion logic= (to avoid unprivileged users adding that tag to their VM and causing it to be b= acked up), but then make some of those tags effectively non-privileged (which all= ows exactly that), why do we have the restriction in vzdump in the first place? that sounds like a complicated way (with lots of side-effects, because privileged tags might be used in other places in the future as well) to mak= e the "vzdump should only use privileged tags" part configurable.. maybe there sh= ould simply be a list of "vzdump tags" in addition to the privileged ones? those would then be unprivileged, but the scope of "these allow vzdump job inclus= ion" is clear and limited. or we just keep "vzdump only looks at privileged tags= " for now to keep it simple - extending that one way or another in the future is always possible if it is restricted now, the other way is harder ;)