From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 5F7A49DB74 for ; Tue, 6 Jun 2023 09:31:54 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 4044930C72 for ; Tue, 6 Jun 2023 09:31:54 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 6 Jun 2023 09:31:53 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D364348BB6 for ; Tue, 6 Jun 2023 09:31:52 +0200 (CEST) Date: Tue, 06 Jun 2023 09:31:46 +0200 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox VE development discussion References: <20230604233709.1340089-1-aderumier@odiso.com> <1685958374.jxhx4d0md8.astroid@yuna.none> <45c767c555473f0969dd1036627c9f9b76d2c340.camel@groupe-cyllene.com> In-Reply-To: <45c767c555473f0969dd1036627c9f9b76d2c340.camel@groupe-cyllene.com> MIME-Version: 1.0 User-Agent: astroid/0.16.0 (https://github.com/astroidmail/astroid) Message-Id: <1686036605.tcp2iewvk2.astroid@yuna.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.073 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: Re: [pve-devel] [PATCH-SERIE pve-access-control/pve-manager/qemu-server] check permissions on local bridge X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2023 07:31:54 -0000 On June 6, 2023 7:32 am, DERUMIER, Alexandre wrote: > Le lundi 05 juin 2023 =C3=A0 12:13 +0200, Fabian Gr=C3=BCnbichler a =C3= =A9crit=C2=A0: >> On June 5, 2023 1:37 am, Alexandre Derumier wrote: >> > add vnet/localbridge permissions management >> >=20 >> > Hi, >> > as we has discuted some weeks ago, >> > this patche serie introduce management of acl for vnets && local >> > bridges >> >=20 >> > I have reuse current sdn permissions path, to have common paths >> >=20 >> > /sdn/vnets// >> >=20 >> > where the local vmbr are in a virtual "localnetwork" zone >> >=20 >> > /sdn/vnets/local/ >> >=20 >> > Vlans permissions=C2=A0 are also handled with >> > /sdn/vnets/// >>=20 >> these paths don't match the patches ;) >>=20 >> if the paths were like this, then we could go one step further and >> admins could set propagate on the zone to hand out access to the full >> zone, including all vnets *and* vlan tags, and we could just check >> the >> vnet (or vnet+tag), and the zone would be implicitly checked as well >> (by >> virtue of traversing the ACL path). >>=20 >> we'd need to check for consistency of zone+vnet when checking ACLs >> though, which is not required right now. > oh yes, I think it was my first try.=C2=A0 >=20 > currently the vnets id are unique (and possibly (at least in sdn) user > could move the vnet between zones. (not implemented, but technically, > it'll work, and ifreload is able to online replug the vnet with vm > guest running). >=20 > I don't think it something that user want to do regulary, so maybe it's > not a problem to use /zone/vnet/tag and It's more secure if users need > to recheck the acl. I just wanted to mention it since it caught my eye, treating zones and vnets as independent also makes sense, it should just be consistent :) there are pros and cons for both approaches: - pro for current approach: -- vnets can be moved/converted between zones, ACLs stay valid -- no extra checks needed - pro for zone/vnet/.. approach: -- propagation from zone to vnet is possible without manually doing it at the check site -- binding between zone and vnet is enforced at the ACL level