From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [RFC qemu-server 1/1] allow setting ipconfigX with VM.Config.Cloudinit
Date: Wed, 3 May 2023 09:52:03 +0200 [thread overview]
Message-ID: <20230503075203.3293562-4-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20230503075203.3293562-1-f.gruenbichler@proxmox.com>
these config keys only affect the cloudinit drive contents (and state of the
guest inside the VM), they are not used anywhere on the hypervisor side, so
they should not require VM.Config.Network (which allows a lot more, such as
changing vNIC VLAN tags or the bridges they are connected to).
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
https://forum.proxmox.com/threads/role-vm-config-networking-prevent-cloud-init-networking.126719
and https://bugzilla.proxmox.com/show_bug.cgi?id=2741 for some prior
discussions..
PVE/API2/Qemu.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 587bb222..0999a9ef 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -631,9 +631,9 @@ my $check_vm_modify_config_perm = sub {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.PowerMgmt']);
} elsif ($diskoptions->{$opt}) {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Disk']);
- } elsif ($opt =~ m/^(?:net|ipconfig)\d+$/) {
+ } elsif ($opt =~ m/^net\d+$/) {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Network']);
- } elsif ($cloudinitoptions->{$opt}) {
+ } elsif ($cloudinitoptions->{$opt} || $opt =~ m/^ipconfig\d+$/) {
$rpcenv->check_vm_perm($authuser, $vmid, $pool, ['VM.Config.Cloudinit', 'VM.Config.Network'], 1);
} elsif ($opt eq 'vmstate') {
# the user needs Disk and PowerMgmt privileges to change the vmstate
--
2.30.2
next prev parent reply other threads:[~2023-05-03 7:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-03 7:52 [pve-devel] [PATCH manager/qemu-server 0/3] Cloudinit priv adaptations Fabian Grünbichler
2023-05-03 7:52 ` [pve-devel] [PATCH manager 1/2] ui: cloudinit: match backend privilege checks Fabian Grünbichler
2023-05-03 7:52 ` [pve-devel] [RFC manager 2/2] ui: cloudinit: also allow ipconfig with VM.Config.Cloudinit Fabian Grünbichler
2023-05-03 7:52 ` Fabian Grünbichler [this message]
2023-06-07 16:24 ` [pve-devel] applied: [PATCH manager/qemu-server 0/3] Cloudinit priv adaptations Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230503075203.3293562-4-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox