public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH-SERIE pve-access-control/pve-manager/qemu-server] check permissions on local bridge
Date: Mon, 05 Jun 2023 12:13:21 +0200	[thread overview]
Message-ID: <1685958374.jxhx4d0md8.astroid@yuna.none> (raw)
In-Reply-To: <20230604233709.1340089-1-aderumier@odiso.com>

On June 5, 2023 1:37 am, Alexandre Derumier wrote:
> add vnet/localbridge permissions management
> 
> Hi,
> as we has discuted some weeks ago,
> this patche serie introduce management of acl for vnets && local bridges
> 
> I have reuse current sdn permissions path, to have common paths
> 
> /sdn/vnets/<zone>/<vnet>
> 
> where the local vmbr are in a virtual "localnetwork" zone
> 
> /sdn/vnets/local/<vnet>
> 
> Vlans permissions  are also handled with
> /sdn/vnets/<zone>/<vnet>/<tag>

these paths don't match the patches ;)

if the paths were like this, then we could go one step further and
admins could set propagate on the zone to hand out access to the full
zone, including all vnets *and* vlan tags, and we could just check the
vnet (or vnet+tag), and the zone would be implicitly checked as well (by
virtue of traversing the ACL path).

we'd need to check for consistency of zone+vnet when checking ACLs
though, which is not required right now.

> 
> if user have permissions on the zone, he have access to all vnets/vlan
> if user have permissions on the vnet/tag, he have access to only the specific vlan.
> if user have permissions on the vnet, he have access to all vlans of the vnet

these last two I'd do differently.

permission on vnet/tag => permission to use that vlan
permission on vnet => permission to use the vnet/bridge (without tag)

if I want to give permission for all tags, I can simply give out the
role on vnet with propagation. since the permissions are only checked
when (re)configuring a guest, it doesn't matter that that check is a bit
expensive/potentially checking a lot of paths..

> 
> I have reworked the sdn zone panel from the tree, to manage permissions
> on displayed vnets.
> 
> some screenshots:
> 
> https://mutulin1.odiso.net/sdnzone-perm.png
> https://mutulin1.odiso.net/localzone-perm.png

I didn't check the GUI patches in detail yet, but IMHO they are also
less important right now (they are only a convenience feature for the
new feature of configuring VLAN access).

we'd like to get the basic patches in place this week if possible, if
that is too soon I can also fold in some of my suggestions as
follow-ups, just tell me what works for you!

> for proxmox7: (for users be able to add permissions before upgrade to pve8)
> pve-access-control: patch1 (to new /vnet/vlan path)
> pve-manager : patch1-2 for the new gui

the access control changes should be enough, it's always possible to set
the ACLs using the regular ACL GUI and/or `pveum`. it might make sense
to have at least the local bridge ACL path (for the zone, or for the
zone and the bridges?) in the regular ACL selectors in 7.x as well, if
we pull in something in pve-manager, than IMHO it should be that, not
the full-flegded new panels.

I do think we need a second pve-access-control patch though (for a new
SDN.Use privilege and corresponding role), that also needs to go into
7.x

> changelog v2:
>  - use /vnets/vlan instead /vnets.vlan
>  - rework the bridge filtering when user have access only to a specific vlan
>  - api2 network: always check bridge access if no filter is defined
> 
> todo:
>  - add permissions on clone/restore ?
> 
> 
> 
> pve-access-control:
> 
> Alexandre Derumier (2):
>   access control: add /sdn/vnets/<vnet>/<vlan> path
>   rpcenvironnment: add check_sdn_bridge
> 
>  src/PVE/AccessControl.pm  |  1 +
>  src/PVE/RPCEnvironment.pm | 17 +++++++++++++++++
>  2 files changed, 18 insertions(+)
> 
> 
> pve-manager:
> 
> Alexandre Derumier (3):
>   add vnet permissions panel
>   add permissions management for "localnetwork" zone
>   api2: network: check permissions for local bridges
> 
>  PVE/API2/Cluster.pm                  |  12 ++
>  PVE/API2/Network.pm                  |  26 ++-
>  www/manager6/Makefile                |   2 +
>  www/manager6/sdn/Browser.js          |  17 +-
>  www/manager6/sdn/VnetACLView.js      | 299 +++++++++++++++++++++++++++
>  www/manager6/sdn/ZoneContentPanel.js |  41 ++++
>  www/manager6/sdn/ZoneContentView.js  |  52 ++++-
>  7 files changed, 420 insertions(+), 29 deletions(-)
>  create mode 100644 www/manager6/sdn/VnetACLView.js
>  create mode 100644 www/manager6/sdn/ZoneContentPanel.js
> 
> qemu-server:
> 
> Alexandre Derumier (1):
>   api2: add check_bridge_access for create/update vm
> 
>  PVE/API2/Qemu.pm | 38 +++++++++++++++++++++++++++++++++++++-
>  1 file changed, 37 insertions(+), 1 deletion(-)
> 
> 
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
> 




  parent reply	other threads:[~2023-06-05 10:13 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-04 23:37 Alexandre Derumier
2023-06-04 23:37 ` [pve-devel] [PATCH pve-access-control 1/2] access control: add /sdn/vnets/<vnet>/<vlan> path Alexandre Derumier
2023-06-04 23:37 ` [pve-devel] [PATCH v2 pve-manager 1/3] add vnet permissions panel Alexandre Derumier
2023-06-04 23:37 ` [pve-devel] [PATCH v2 qemu-server 1/1] api2: add check_bridge_access for create/update vm Alexandre Derumier
2023-06-05  7:38   ` Thomas Lamprecht
2023-06-06  4:20     ` DERUMIER, Alexandre
2023-06-05 10:12   ` Fabian Grünbichler
2023-06-04 23:37 ` [pve-devel] [PATCH v2 pve-manager 2/3] add permissions management for "localnetwork" zone Alexandre Derumier
2023-06-04 23:37 ` [pve-devel] [PATCH pve-access-control 2/2] rpcenvironnment: add check_sdn_bridge Alexandre Derumier
2023-06-05 10:12   ` Fabian Grünbichler
2023-06-06 12:15     ` DERUMIER, Alexandre
2023-06-06 12:37       ` Fabian Grünbichler
2023-06-04 23:37 ` [pve-devel] [PATCH v2 pve-manager 3/3] api2: network: check permissions for local bridges Alexandre Derumier
2023-06-05 10:13 ` Fabian Grünbichler [this message]
2023-06-06  5:32   ` [pve-devel] [PATCH-SERIE pve-access-control/pve-manager/qemu-server] check permissions on local bridge DERUMIER, Alexandre
2023-06-06  6:54     ` DERUMIER, Alexandre
2023-06-06  7:43       ` Fabian Grünbichler
2023-06-06  7:31     ` Fabian Grünbichler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1685958374.jxhx4d0md8.astroid@yuna.none \
    --to=f.gruenbichler@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal