[pve-devel] [PATCH v2 pve-manager 0/2] sdn: permissions improvments

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

* [pve-devel] [PATCH v2 pve-manager 0/2] sdn: permissions improvments
@ 2021-10-04  6:08 Alexandre Derumier
  2021-10-04  6:08 ` [pve-devel] [PATCH v2 pve-manager 1/2] permpathstore: add sdn zones Alexandre Derumier
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Alexandre Derumier @ 2021-10-04  6:08 UTC (permalink / raw)
  To: pve-devel

- display zones list in global permissions management pathselector
- remove vmbrX bridges from bridgeselector if user have permissions on vnets


changelog v2:

- check permission on /sdn/vnet/<vmbr> too if user need access on both
  vnets && vmbr


Alexandre Derumier (2):
  permpathstore: add sdn zones
  api2 : network: anybridge: don't display bridges if user have access
    to vnets.

 PVE/API2/Network.pm                | 21 ++++++++++++++-------
 www/manager6/data/PermPathStore.js |  3 +++
 2 files changed, 17 insertions(+), 7 deletions(-)

-- 
2.30.2




^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pve-devel] [PATCH v2 pve-manager 1/2] permpathstore: add sdn zones
  2021-10-04  6:08 [pve-devel] [PATCH v2 pve-manager 0/2] sdn: permissions improvments Alexandre Derumier
@ 2021-10-04  6:08 ` Alexandre Derumier
  2021-10-04  6:08 ` [pve-devel] [PATCH v2 pve-manager 2/2] api2 : network: anybridge: don't display bridges if user have access to vnets Alexandre Derumier
  2022-03-16 16:01 ` [pve-devel] applied-series: [PATCH v2 pve-manager 0/2] sdn: permissions improvments Thomas Lamprecht
  2 siblings, 0 replies; 4+ messages in thread
From: Alexandre Derumier @ 2021-10-04  6:08 UTC (permalink / raw)
  To: pve-devel

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
 www/manager6/data/PermPathStore.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/www/manager6/data/PermPathStore.js b/www/manager6/data/PermPathStore.js
index 1dc276b6..cf702c03 100644
--- a/www/manager6/data/PermPathStore.js
+++ b/www/manager6/data/PermPathStore.js
@@ -10,6 +10,7 @@ Ext.define('PVE.data.PermPathStore', {
 	{ 'value': '/access/realm' },
 	{ 'value': '/nodes' },
 	{ 'value': '/pool' },
+	{ 'value': '/sdn/zones' },
 	{ 'value': '/storage' },
 	{ 'value': '/vms' },
     ],
@@ -32,6 +33,8 @@ Ext.define('PVE.data.PermPathStore', {
 		    break;
 		case 'lxc': path = '/vms/' + record.get('vmid');
 		    break;
+		case 'sdn': path = '/sdn/zones/' + record.get('sdn');
+		    break;
 		case 'storage': path = '/storage/' + record.get('storage');
 		    break;
 		case 'pool': path = '/pool/' + record.get('pool');
-- 
2.30.2




^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pve-devel] [PATCH v2 pve-manager 2/2] api2 : network: anybridge: don't display bridges if user have access to vnets.
  2021-10-04  6:08 [pve-devel] [PATCH v2 pve-manager 0/2] sdn: permissions improvments Alexandre Derumier
  2021-10-04  6:08 ` [pve-devel] [PATCH v2 pve-manager 1/2] permpathstore: add sdn zones Alexandre Derumier
@ 2021-10-04  6:08 ` Alexandre Derumier
  2022-03-16 16:01 ` [pve-devel] applied-series: [PATCH v2 pve-manager 0/2] sdn: permissions improvments Thomas Lamprecht
  2 siblings, 0 replies; 4+ messages in thread
From: Alexandre Derumier @ 2021-10-04  6:08 UTC (permalink / raw)
  To: pve-devel

This remove vmbr* from bridgeselector if user have access to vnets.
if user need to have also access to vmbr, we can add a permission
in path "/sdn/vnets/vmbrX"

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
 PVE/API2/Network.pm | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm
index a26f36d2..53165660 100644
--- a/PVE/API2/Network.pm
+++ b/PVE/API2/Network.pm
@@ -226,6 +226,7 @@ __PACKAGE__->register_method({
 	my ($param) = @_;
 
 	my $rpcenv = PVE::RPCEnvironment::get();
+	my $authuser = $rpcenv->get_user();
 
 	my $tmp = PVE::INotify::read_file('interfaces', 1);
 	my $config = $tmp->{data};
@@ -238,20 +239,26 @@ __PACKAGE__->register_method({
 	delete $ifaces->{lo}; # do not list the loopback device
 
 	if ($param->{type}) {
+	    my $vnets = {};
+	    my $filtered_sdn = undef;
+	    my $privs = [ 'SDN.Audit', 'SDN.Allocate' ];
+
+	    if ($have_sdn && $param->{type} eq 'any_bridge') {
+		$vnets = PVE::Network::SDN::get_local_vnets();
+		$filtered_sdn = 1 if $authuser ne 'root@pam' && keys %{$vnets} > 0;
+	    }
+
 	    foreach my $k (keys %$ifaces) {
 		my $type = $ifaces->{$k}->{type};
 		my $match =  ($param->{type} eq $type) || (
 		    ($param->{type} eq 'any_bridge') && 
 		    ($type eq 'bridge' || $type eq 'OVSBridge'));
-		delete $ifaces->{$k} if !$match;
+		delete $ifaces->{$k} if !$match || ($filtered_sdn && !$rpcenv->check_any($authuser, "/sdn/vnets/$k", $privs, 1));
 	    }
 
-	    if ($have_sdn && $param->{type} eq 'any_bridge') {
-		my $vnets = PVE::Network::SDN::get_local_vnets();
-		map {
-		    $ifaces->{$_} = $vnets->{$_};
-		} keys %$vnets;
-	    }
+	    map {
+	    	$ifaces->{$_} = $vnets->{$_};
+	    } keys %$vnets;
 	}
 
 	return PVE::RESTHandler::hash_to_array($ifaces, 'iface');
-- 
2.30.2




^ permalink raw reply	[flat|nested] 4+ messages in thread

* [pve-devel] applied-series: [PATCH v2 pve-manager 0/2] sdn: permissions improvments
  2021-10-04  6:08 [pve-devel] [PATCH v2 pve-manager 0/2] sdn: permissions improvments Alexandre Derumier
  2021-10-04  6:08 ` [pve-devel] [PATCH v2 pve-manager 1/2] permpathstore: add sdn zones Alexandre Derumier
  2021-10-04  6:08 ` [pve-devel] [PATCH v2 pve-manager 2/2] api2 : network: anybridge: don't display bridges if user have access to vnets Alexandre Derumier
@ 2022-03-16 16:01 ` Thomas Lamprecht
  2 siblings, 0 replies; 4+ messages in thread
From: Thomas Lamprecht @ 2022-03-16 16:01 UTC (permalink / raw)
  To: Proxmox VE development discussion, Alexandre Derumier

On 04.10.21 08:08, Alexandre Derumier wrote:
> - display zones list in global permissions management pathselector
> - remove vmbrX bridges from bridgeselector if user have permissions on vnets
> 
> 
> changelog v2:
> 
> - check permission on /sdn/vnet/<vmbr> too if user need access on both
>   vnets && vmbr
> 
> 
> Alexandre Derumier (2):
>   permpathstore: add sdn zones
>   api2 : network: anybridge: don't display bridges if user have access
>     to vnets.
> 
>  PVE/API2/Network.pm                | 21 ++++++++++++++-------
>  www/manager6/data/PermPathStore.js |  3 +++
>  2 files changed, 17 insertions(+), 7 deletions(-)
> 



applied series, thanks!




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-03-16 16:01 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-04  6:08 [pve-devel] [PATCH v2 pve-manager 0/2] sdn: permissions improvments Alexandre Derumier
2021-10-04  6:08 ` [pve-devel] [PATCH v2 pve-manager 1/2] permpathstore: add sdn zones Alexandre Derumier
2021-10-04  6:08 ` [pve-devel] [PATCH v2 pve-manager 2/2] api2 : network: anybridge: don't display bridges if user have access to vnets Alexandre Derumier
2022-03-16 16:01 ` [pve-devel] applied-series: [PATCH v2 pve-manager 0/2] sdn: permissions improvments Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal