From: Gabriel Goller <g.goller@proxmox.com>
To: David Riley <d.riley@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: Re: [PATCH pve-network 5/9] fix #7294: sdn: register api formats for zones and vnets
Date: Fri, 12 Jun 2026 15:46:55 +0200 [thread overview]
Message-ID: <178127201519.718919.5198816838031871654.b4-reply@b4> (raw)
In-Reply-To: <920d1522-9a76-4ba7-90a6-f7fa5ffecc73@proxmox.com>
On 2026-06-12 14:51 +0200, David Riley wrote:
> Thanks for the feedback.
>
> The intention behind adding this segment to the ACL path is to allow
> for fine-grained, hierarchical permission scoping, not to couple the
> ACL system to specific VNet properties.
>
> I used vlan as a placeholder for 'tag', but in retrospect, the naming
> is a bit confusing, and I'm happy to adapt this in a v2.
>
> From a permission perspective, including the tag in the path makes
> sense, as it allows us to restrict pool users to a specific VNet and
> tag combination.
Maybe I'm a bit dim, but you mean the VNet tag right -- so the tag I configure
on each VNet?
> So if you have a pool with a VM, storage and VNet + Tag and assign the
> pool permissions: PVEVMAdmin, PVESDNUser
>
> The user can fully manage this VM, including adding a new NIC, but
> they can only add it using the exact VNet + Tag combination. Just
> adding the VNet would not work.
How is this different than just adding the VNet? Will this restrict the user
from adding another vlan tag on the VM (when using vlanaware vnets)? Is this
just to prevent the user from editing the VNet tag?
> Let me know if this makes sense.
>
> [snip]
next prev parent reply other threads:[~2026-06-12 13:47 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 14:59 [PATCH access-control/cluster/manager/network/qemu-server 0/9] fix #7294: pool: add SDN VNets as pool members David Riley
2026-06-11 14:59 ` [PATCH pve-manager 1/9] ui: replace var with let to match style guide for variable declaration David Riley
2026-06-11 14:59 ` [PATCH pve-manager 2/9] fix #7294: api: pool: add SDN VNets as pool members David Riley
2026-06-11 14:59 ` [PATCH pve-manager 3/9] fix #7294: ui: " David Riley
2026-06-11 14:59 ` [PATCH pve-access-control 4/9] fix #7294: acl: " David Riley
2026-06-11 14:59 ` [PATCH pve-network 5/9] fix #7294: sdn: register api formats for zones and vnets David Riley
2026-06-12 12:18 ` Gabriel Goller
2026-06-12 12:51 ` David Riley
2026-06-12 13:46 ` Gabriel Goller [this message]
2026-06-12 14:17 ` David Riley
2026-06-11 14:59 ` [PATCH pve-network 6/9] fix #7294: sdn: vnet: update pool members on vnet migration and deletion David Riley
2026-06-11 16:21 ` Gabriel Goller
2026-06-12 6:37 ` David Riley
2026-06-12 8:41 ` Gabriel Goller
2026-06-11 14:59 ` [PATCH pve-cluster 7/9] cluster: add helpers module with version comparison functions David Riley
2026-06-11 14:59 ` [PATCH pve-cluster 8/9] fix #7294: cluster: helpers: add cluster-wide version assertion David Riley
2026-06-11 14:59 ` [PATCH qemu-server 9/9] fix #7294: helpers: use cluster-wide version helper David Riley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178127201519.718919.5198816838031871654.b4-reply@b4 \
--to=g.goller@proxmox.com \
--cc=d.riley@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox