From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 4A01A9D92C for ; Mon, 5 Jun 2023 12:13:29 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 32DE02667F for ; Mon, 5 Jun 2023 12:13:29 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 5 Jun 2023 12:13:28 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id EF2A248A51 for ; Mon, 5 Jun 2023 12:13:27 +0200 (CEST) Date: Mon, 05 Jun 2023 12:13:21 +0200 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20230604233709.1340089-1-aderumier@odiso.com> In-Reply-To: <20230604233709.1340089-1-aderumier@odiso.com> MIME-Version: 1.0 User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid) Message-Id: <1685958374.jxhx4d0md8.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL -0.077 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pve-devel] [PATCH-SERIE pve-access-control/pve-manager/qemu-server] check permissions on local bridge X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jun 2023 10:13:29 -0000 On June 5, 2023 1:37 am, Alexandre Derumier wrote: > add vnet/localbridge permissions management >=20 > Hi, > as we has discuted some weeks ago, > this patche serie introduce management of acl for vnets && local bridges >=20 > I have reuse current sdn permissions path, to have common paths >=20 > /sdn/vnets// >=20 > where the local vmbr are in a virtual "localnetwork" zone >=20 > /sdn/vnets/local/ >=20 > Vlans permissions are also handled with > /sdn/vnets/// these paths don't match the patches ;) if the paths were like this, then we could go one step further and admins could set propagate on the zone to hand out access to the full zone, including all vnets *and* vlan tags, and we could just check the vnet (or vnet+tag), and the zone would be implicitly checked as well (by virtue of traversing the ACL path). we'd need to check for consistency of zone+vnet when checking ACLs though, which is not required right now. >=20 > if user have permissions on the zone, he have access to all vnets/vlan > if user have permissions on the vnet/tag, he have access to only the spec= ific vlan. > if user have permissions on the vnet, he have access to all vlans of the = vnet these last two I'd do differently. permission on vnet/tag =3D> permission to use that vlan permission on vnet =3D> permission to use the vnet/bridge (without tag) if I want to give permission for all tags, I can simply give out the role on vnet with propagation. since the permissions are only checked when (re)configuring a guest, it doesn't matter that that check is a bit expensive/potentially checking a lot of paths.. >=20 > I have reworked the sdn zone panel from the tree, to manage permissions > on displayed vnets. >=20 > some screenshots: >=20 > https://mutulin1.odiso.net/sdnzone-perm.png > https://mutulin1.odiso.net/localzone-perm.png I didn't check the GUI patches in detail yet, but IMHO they are also less important right now (they are only a convenience feature for the new feature of configuring VLAN access). we'd like to get the basic patches in place this week if possible, if that is too soon I can also fold in some of my suggestions as follow-ups, just tell me what works for you! > for proxmox7: (for users be able to add permissions before upgrade to pve= 8) > pve-access-control: patch1 (to new /vnet/vlan path) > pve-manager : patch1-2 for the new gui the access control changes should be enough, it's always possible to set the ACLs using the regular ACL GUI and/or `pveum`. it might make sense to have at least the local bridge ACL path (for the zone, or for the zone and the bridges?) in the regular ACL selectors in 7.x as well, if we pull in something in pve-manager, than IMHO it should be that, not the full-flegded new panels. I do think we need a second pve-access-control patch though (for a new SDN.Use privilege and corresponding role), that also needs to go into 7.x > changelog v2: > - use /vnets/vlan instead /vnets.vlan > - rework the bridge filtering when user have access only to a specific v= lan > - api2 network: always check bridge access if no filter is defined >=20 > todo: > - add permissions on clone/restore ? >=20 >=20 >=20 > pve-access-control: >=20 > Alexandre Derumier (2): > access control: add /sdn/vnets// path > rpcenvironnment: add check_sdn_bridge >=20 > src/PVE/AccessControl.pm | 1 + > src/PVE/RPCEnvironment.pm | 17 +++++++++++++++++ > 2 files changed, 18 insertions(+) >=20 >=20 > pve-manager: >=20 > Alexandre Derumier (3): > add vnet permissions panel > add permissions management for "localnetwork" zone > api2: network: check permissions for local bridges >=20 > PVE/API2/Cluster.pm | 12 ++ > PVE/API2/Network.pm | 26 ++- > www/manager6/Makefile | 2 + > www/manager6/sdn/Browser.js | 17 +- > www/manager6/sdn/VnetACLView.js | 299 +++++++++++++++++++++++++++ > www/manager6/sdn/ZoneContentPanel.js | 41 ++++ > www/manager6/sdn/ZoneContentView.js | 52 ++++- > 7 files changed, 420 insertions(+), 29 deletions(-) > create mode 100644 www/manager6/sdn/VnetACLView.js > create mode 100644 www/manager6/sdn/ZoneContentPanel.js >=20 > qemu-server: >=20 > Alexandre Derumier (1): > api2: add check_bridge_access for create/update vm >=20 > PVE/API2/Qemu.pm | 38 +++++++++++++++++++++++++++++++++++++- > 1 file changed, 37 insertions(+), 1 deletion(-) >=20 >=20 > --=20 > 2.30.2 >=20 >=20 > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >=20 >=20 >=20