* [pve-devel] [PATCH-SERIES pve-access-control/pve-manager] Add firewall caps
@ 2023-03-27 10:18 Alexandre Derumier
2023-03-27 10:18 ` [pve-devel] [PATCH pve-access-control 1/1] rpcenv: compute_api_permission : add default root dc.Sys.Modify Alexandre Derumier
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Alexandre Derumier @ 2023-03-27 10:18 UTC (permalink / raw)
To: pve-devel
This patch series add missing caps on firewall buttons in differents
firewall grid and panels, and also add correct audit permissions on
vm|ct firewall menus.
For datacenter, it's using Sys.Modify, but currently the
root user don't have this guicap by default on datacenter.
The pve-access-control patch add this permission.
(Please double check this patch, I'm not sure to understand this code
correctly, but my tests don't seem to change default perm of other
user than root)
pve-access-control:
Alexandre Derumier (1):
rpcenv: compute_api_permission : add default root dc.Sys.Modify
src/PVE/RPCEnvironment.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
pve-manager:
Alexandre Derumier (2):
ui: qemu|lxc : fix firewall menu caps
ui: firewall panel/grids : add caps on buttons
www/manager6/dc/SecurityGroups.js | 7 +++++++
www/manager6/grid/FirewallAliases.js | 6 ++++++
www/manager6/grid/FirewallOptions.js | 6 +++++-
www/manager6/grid/FirewallRules.js | 17 ++++++++++++-----
www/manager6/lxc/Config.js | 7 ++++++-
www/manager6/panel/IPSet.js | 18 +++++++++++++++++-
www/manager6/qemu/Config.js | 9 +++++++--
7 files changed, 60 insertions(+), 10 deletions(-)
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH pve-access-control 1/1] rpcenv: compute_api_permission : add default root dc.Sys.Modify
2023-03-27 10:18 [pve-devel] [PATCH-SERIES pve-access-control/pve-manager] Add firewall caps Alexandre Derumier
@ 2023-03-27 10:18 ` Alexandre Derumier
2023-06-07 10:04 ` [pve-devel] applied: " Thomas Lamprecht
2023-03-27 10:18 ` [pve-devel] [PATCH pve-manager 1/2] ui: qemu|lxc : fix firewall menu caps Alexandre Derumier
2023-03-27 10:18 ` [pve-devel] [PATCH pve-manager 2/2] ui: firewall panel/grids : add caps on buttons Alexandre Derumier
2 siblings, 1 reply; 6+ messages in thread
From: Alexandre Derumier @ 2023-03-27 10:18 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
src/PVE/RPCEnvironment.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
index 8586938..0de746a 100644
--- a/src/PVE/RPCEnvironment.pm
+++ b/src/PVE/RPCEnvironment.pm
@@ -186,7 +186,7 @@ sub compute_api_permission {
storage => qr/Datastore\.|Permissions\.Modify/,
nodes => qr/Sys\.|Permissions\.Modify/,
sdn => qr/SDN\.|Permissions\.Modify/,
- dc => qr/Sys\.Audit|SDN\./,
+ dc => qr/Sys\.Audit|Sys\.Modify|SDN\./,
};
map { $res->{$_} = {} } keys %$priv_re_map;
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH pve-manager 1/2] ui: qemu|lxc : fix firewall menu caps
2023-03-27 10:18 [pve-devel] [PATCH-SERIES pve-access-control/pve-manager] Add firewall caps Alexandre Derumier
2023-03-27 10:18 ` [pve-devel] [PATCH pve-access-control 1/1] rpcenv: compute_api_permission : add default root dc.Sys.Modify Alexandre Derumier
@ 2023-03-27 10:18 ` Alexandre Derumier
2023-06-07 11:24 ` [pve-devel] applied: " Dominik Csapak
2023-03-27 10:18 ` [pve-devel] [PATCH pve-manager 2/2] ui: firewall panel/grids : add caps on buttons Alexandre Derumier
2 siblings, 1 reply; 6+ messages in thread
From: Alexandre Derumier @ 2023-03-27 10:18 UTC (permalink / raw)
To: pve-devel
The current Vm.Console caps is wrong.
Only log api need Vm.Console
other api call need Vm.Audit or VM.Config.Network
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
www/manager6/lxc/Config.js | 7 ++++++-
www/manager6/qemu/Config.js | 9 +++++++--
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/www/manager6/lxc/Config.js b/www/manager6/lxc/Config.js
index 23c17d2e..85d32e3c 100644
--- a/www/manager6/lxc/Config.js
+++ b/www/manager6/lxc/Config.js
@@ -304,7 +304,7 @@ Ext.define('PVE.lxc.Config', {
});
}
- if (caps.vms['VM.Console']) {
+ if (caps.vms['VM.Audit']) {
me.items.push(
{
xtype: 'pveFirewallRules',
@@ -342,6 +342,11 @@ Ext.define('PVE.lxc.Config', {
list_refs_url: base_url + '/firewall/refs',
itemId: 'firewall-ipset',
},
+ );
+ }
+
+ if (caps.vms['VM.Console']) {
+ me.items.push(
{
title: gettext('Log'),
groups: ['firewall'],
diff --git a/www/manager6/qemu/Config.js b/www/manager6/qemu/Config.js
index 94c540c5..6acf589c 100644
--- a/www/manager6/qemu/Config.js
+++ b/www/manager6/qemu/Config.js
@@ -339,7 +339,7 @@ Ext.define('PVE.qemu.Config', {
});
}
- if (caps.vms['VM.Console']) {
+ if (caps.vms['VM.Audit']) {
me.items.push(
{
xtype: 'pveFirewallRules',
@@ -377,7 +377,12 @@ Ext.define('PVE.qemu.Config', {
list_refs_url: base_url + '/firewall/refs',
itemId: 'firewall-ipset',
},
- {
+ );
+ }
+
+ if (caps.vms['VM.Console']) {
+ me.items.push(
+ {
title: gettext('Log'),
groups: ['firewall'],
iconCls: 'fa fa-list',
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH pve-manager 2/2] ui: firewall panel/grids : add caps on buttons
2023-03-27 10:18 [pve-devel] [PATCH-SERIES pve-access-control/pve-manager] Add firewall caps Alexandre Derumier
2023-03-27 10:18 ` [pve-devel] [PATCH pve-access-control 1/1] rpcenv: compute_api_permission : add default root dc.Sys.Modify Alexandre Derumier
2023-03-27 10:18 ` [pve-devel] [PATCH pve-manager 1/2] ui: qemu|lxc : fix firewall menu caps Alexandre Derumier
@ 2023-03-27 10:18 ` Alexandre Derumier
2 siblings, 0 replies; 6+ messages in thread
From: Alexandre Derumier @ 2023-03-27 10:18 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---
www/manager6/dc/SecurityGroups.js | 7 +++++++
www/manager6/grid/FirewallAliases.js | 6 ++++++
www/manager6/grid/FirewallOptions.js | 6 +++++-
www/manager6/grid/FirewallRules.js | 17 ++++++++++++-----
www/manager6/panel/IPSet.js | 18 +++++++++++++++++-
5 files changed, 47 insertions(+), 7 deletions(-)
diff --git a/www/manager6/dc/SecurityGroups.js b/www/manager6/dc/SecurityGroups.js
index 26172bf3..b19e370b 100644
--- a/www/manager6/dc/SecurityGroups.js
+++ b/www/manager6/dc/SecurityGroups.js
@@ -100,6 +100,8 @@ Ext.define('PVE.SecurityGroupList', {
let sm = Ext.create('Ext.selection.RowModel', {});
+ let caps = Ext.state.Manager.get('GuiCap');
+
let reload = function() {
let oldrec = sm.getSelection()[0];
store.load((records, operation, success) => {
@@ -130,12 +132,14 @@ Ext.define('PVE.SecurityGroupList', {
me.editBtn = new Proxmox.button.Button({
text: gettext('Edit'),
+ enableFn: rec => !!caps.dc['Sys.Modify'],
disabled: true,
selModel: sm,
handler: run_editor,
});
me.addBtn = new Proxmox.button.Button({
text: gettext('Create'),
+ disabled: !caps.dc['Sys.Modify'],
handler: function() {
sm.deselectAll();
var win = Ext.create('PVE.SecurityGroupEdit', {});
@@ -148,6 +152,9 @@ Ext.define('PVE.SecurityGroupList', {
selModel: sm,
baseurl: me.base_url + '/',
enableFn: function(rec) {
+ if (!caps.dc['Sys.Modify']) {
+ return false;
+ }
return rec && me.base_url;
},
callback: () => reload(),
diff --git a/www/manager6/grid/FirewallAliases.js b/www/manager6/grid/FirewallAliases.js
index 00d0d74b..b6f07334 100644
--- a/www/manager6/grid/FirewallAliases.js
+++ b/www/manager6/grid/FirewallAliases.js
@@ -104,6 +104,8 @@ Ext.define('PVE.FirewallAliases', {
let sm = Ext.create('Ext.selection.RowModel', {});
+ let caps = Ext.state.Manager.get('GuiCap');
+
let reload = function() {
let oldrec = sm.getSelection()[0];
store.load(function(records, operation, success) {
@@ -133,11 +135,13 @@ Ext.define('PVE.FirewallAliases', {
text: gettext('Edit'),
disabled: true,
selModel: sm,
+ enableFn: rec => !!caps.vms['VM.Config.Network'] || !!caps.dc['Sys.Modify'] || !!caps.nodes['Sys.Modify'],
handler: run_editor,
});
me.addBtn = Ext.create('Ext.Button', {
text: gettext('Add'),
+ disabled: !caps.vms['VM.Config.Network'] && !caps.dc['Sys.Modify'] && !caps.nodes['Sys.Modify'],
handler: function() {
var win = Ext.create('PVE.FirewallAliasEdit', {
base_url: me.base_url,
@@ -148,7 +152,9 @@ Ext.define('PVE.FirewallAliases', {
});
me.removeBtn = Ext.create('Proxmox.button.StdRemoveButton', {
+ disabled: true,
selModel: sm,
+ enableFn: rec => !!caps.vms['VM.Config.Network'] || !!caps.dc['Sys.Modify'] || !!caps.nodes['Sys.Modify'],
baseurl: me.base_url + '/',
callback: reload,
});
diff --git a/www/manager6/grid/FirewallOptions.js b/www/manager6/grid/FirewallOptions.js
index 4123bd9f..98b1d258 100644
--- a/www/manager6/grid/FirewallOptions.js
+++ b/www/manager6/grid/FirewallOptions.js
@@ -21,6 +21,8 @@ Ext.define('PVE.FirewallOptions', {
throw "unknown firewall option type";
}
+ let caps = Ext.state.Manager.get('GuiCap');
+
me.rows = {};
var add_boolean_row = function(name, text, defaultValue) {
@@ -161,7 +163,9 @@ Ext.define('PVE.FirewallOptions', {
return;
}
var rowdef = me.rows[rec.data.key];
- edit_btn.setDisabled(!rowdef.editor);
+ if (caps.vms['VM.Config.Network'] || caps.dc['Sys.Modify'] || caps.nodes['Sys.Modify']) {
+ edit_btn.setDisabled(!rowdef.editor);
+ }
};
Ext.apply(me, {
diff --git a/www/manager6/grid/FirewallRules.js b/www/manager6/grid/FirewallRules.js
index 5777c7f4..6b3abb1b 100644
--- a/www/manager6/grid/FirewallRules.js
+++ b/www/manager6/grid/FirewallRules.js
@@ -569,11 +569,14 @@ Ext.define('PVE.FirewallRules', {
}
me.store.removeAll();
} else {
- me.addBtn.setDisabled(false);
- me.removeBtn.baseurl = url + '/';
- if (me.groupBtn) {
- me.groupBtn.setDisabled(false);
+ if (me.caps.vms['VM.Config.Network'] || me.caps.dc['Sys.Modify'] || me.caps.nodes['Sys.Modify']) {
+ me.addBtn.setDisabled(false);
+ if (me.groupBtn) {
+ me.groupBtn.setDisabled(false);
+ }
}
+ me.removeBtn.baseurl = url + '/';
+
me.store.setProxy({
type: 'proxmox',
url: '/api2/json' + url,
@@ -649,6 +652,8 @@ Ext.define('PVE.FirewallRules', {
var sm = Ext.create('Ext.selection.RowModel', {});
+ me.caps = Ext.state.Manager.get('GuiCap');
+
var run_editor = function() {
var rec = sm.getSelection()[0];
if (!rec) {
@@ -680,6 +685,7 @@ Ext.define('PVE.FirewallRules', {
me.editBtn = Ext.create('Proxmox.button.Button', {
text: gettext('Edit'),
disabled: true,
+ enableFn: rec => !!me.caps.vms['VM.Config.Network'] || !!me.caps.dc['Sys.Modify'] || !!me.caps.nodes['Sys.Modify'],
selModel: sm,
handler: run_editor,
});
@@ -721,7 +727,7 @@ Ext.define('PVE.FirewallRules', {
me.copyBtn = Ext.create('Proxmox.button.Button', {
text: gettext('Copy'),
selModel: sm,
- enableFn: ({ data }) => data.type === 'in' || data.type === 'out',
+ enableFn: ({ data }) => (data.type === 'in' || data.type === 'out') && (!!me.caps.vms['VM.Config.Network'] || !!me.caps.dc['Sys.Modify'] || !!me.caps.nodes['Sys.Modify']),
disabled: true,
handler: run_copy_editor,
});
@@ -743,6 +749,7 @@ Ext.define('PVE.FirewallRules', {
}
me.removeBtn = Ext.create('Proxmox.button.StdRemoveButton', {
+ enableFn: rec => !!me.caps.vms['VM.Config.Network'] || !!me.caps.dc['Sys.Modify'] || !!me.caps.nodes['Sys.Modify'],
selModel: sm,
baseurl: me.base_url + '/',
confirmMsg: false,
diff --git a/www/manager6/panel/IPSet.js b/www/manager6/panel/IPSet.js
index a4606769..784d0ea7 100644
--- a/www/manager6/panel/IPSet.js
+++ b/www/manager6/panel/IPSet.js
@@ -42,6 +42,8 @@ Ext.define('PVE.IPSetList', {
},
});
+ var caps = Ext.state.Manager.get('GuiCap');
+
var sm = Ext.create('Ext.selection.RowModel', {});
var reload = function() {
@@ -94,6 +96,7 @@ Ext.define('PVE.IPSetList', {
me.editBtn = new Proxmox.button.Button({
text: gettext('Edit'),
disabled: true,
+ enableFn: rec => !!caps.vms['VM.Config.Network'] || !!caps.dc['Sys.Modify'] || !!caps.nodes['Sys.Modify'],
selModel: sm,
handler: run_editor,
});
@@ -128,6 +131,7 @@ Ext.define('PVE.IPSetList', {
});
me.removeBtn = Ext.create('Proxmox.button.StdRemoveButton', {
+ enableFn: rec => !!caps.vms['VM.Config.Network'] || !!caps.dc['Sys.Modify'] || !!caps.nodes['Sys.Modify'],
selModel: sm,
baseurl: me.base_url + '/',
callback: reload,
@@ -154,6 +158,10 @@ Ext.define('PVE.IPSetList', {
},
});
+ if (!caps.vms['VM.Config.Network'] && !caps.dc['Sys.Modify'] && !caps.nodes['Sys.Modify']) {
+ me.addBtn.setDisabled(true);
+ }
+
me.callParent();
store.load();
@@ -268,7 +276,9 @@ Ext.define('PVE.IPSetGrid', {
me.addBtn.setDisabled(true);
me.store.removeAll();
} else {
- me.addBtn.setDisabled(false);
+ if (me.caps.vms['VM.Config.Network'] || me.caps.dc['Sys.Modify'] || me.caps.nodes['Sys.Modify']) {
+ me.addBtn.setDisabled(false);
+ }
me.removeBtn.baseurl = url + '/';
me.store.setProxy({
type: 'proxmox',
@@ -296,6 +306,8 @@ Ext.define('PVE.IPSetGrid', {
var sm = Ext.create('Ext.selection.RowModel', {});
+ me.caps = Ext.state.Manager.get('GuiCap');
+
var run_editor = function() {
var rec = sm.getSelection()[0];
if (!rec) {
@@ -312,6 +324,7 @@ Ext.define('PVE.IPSetGrid', {
me.editBtn = new Proxmox.button.Button({
text: gettext('Edit'),
disabled: true,
+ enableFn: rec => !!me.caps.vms['VM.Config.Network'] || !!me.caps.dc['Sys.Modify'] || !!me.caps.nodes['Sys.Modify'],
selModel: sm,
handler: run_editor,
});
@@ -319,6 +332,7 @@ Ext.define('PVE.IPSetGrid', {
me.addBtn = new Proxmox.button.Button({
text: gettext('Add'),
disabled: true,
+ enableFn: rec => !!me.caps.vms['VM.Config.Network'] || !!me.caps.dc['Sys.Modify'] || !!me.caps.nodes['Sys.Modify'],
handler: function() {
if (!me.base_url) {
return;
@@ -333,6 +347,8 @@ Ext.define('PVE.IPSetGrid', {
});
me.removeBtn = Ext.create('Proxmox.button.StdRemoveButton', {
+ disabled: true,
+ enableFn: rec => !!me.caps.vms['VM.Config.Network'] || !!me.caps.dc['Sys.Modify'] || !!me.caps.nodes['Sys.Modify'],
selModel: sm,
baseurl: me.base_url + '/',
callback: reload,
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] applied: [PATCH pve-access-control 1/1] rpcenv: compute_api_permission : add default root dc.Sys.Modify
2023-03-27 10:18 ` [pve-devel] [PATCH pve-access-control 1/1] rpcenv: compute_api_permission : add default root dc.Sys.Modify Alexandre Derumier
@ 2023-06-07 10:04 ` Thomas Lamprecht
0 siblings, 0 replies; 6+ messages in thread
From: Thomas Lamprecht @ 2023-06-07 10:04 UTC (permalink / raw)
To: Proxmox VE development discussion, Alexandre Derumier
Am 27/03/2023 um 12:18 schrieb Alexandre Derumier:
> Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
> ---
> src/PVE/RPCEnvironment.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>
applied, thanks!
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] applied: [PATCH pve-manager 1/2] ui: qemu|lxc : fix firewall menu caps
2023-03-27 10:18 ` [pve-devel] [PATCH pve-manager 1/2] ui: qemu|lxc : fix firewall menu caps Alexandre Derumier
@ 2023-06-07 11:24 ` Dominik Csapak
0 siblings, 0 replies; 6+ messages in thread
From: Dominik Csapak @ 2023-06-07 11:24 UTC (permalink / raw)
To: Proxmox VE development discussion, Alexandre Derumier
applied both ui patches with slight rewording of the commit subject/message
+ a short follow up to prevent also double clicking
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-06-07 11:24 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-27 10:18 [pve-devel] [PATCH-SERIES pve-access-control/pve-manager] Add firewall caps Alexandre Derumier
2023-03-27 10:18 ` [pve-devel] [PATCH pve-access-control 1/1] rpcenv: compute_api_permission : add default root dc.Sys.Modify Alexandre Derumier
2023-06-07 10:04 ` [pve-devel] applied: " Thomas Lamprecht
2023-03-27 10:18 ` [pve-devel] [PATCH pve-manager 1/2] ui: qemu|lxc : fix firewall menu caps Alexandre Derumier
2023-06-07 11:24 ` [pve-devel] applied: " Dominik Csapak
2023-03-27 10:18 ` [pve-devel] [PATCH pve-manager 2/2] ui: firewall panel/grids : add caps on buttons Alexandre Derumier
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox