public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH-SERIE pve-access-control/pve-manager/qemu-server] check permissions on local bridge
@ 2023-06-04 23:37 Alexandre Derumier
  2023-06-04 23:37 ` [pve-devel] [PATCH pve-access-control 1/2] access control: add /sdn/vnets/<vnet>/<vlan> path Alexandre Derumier
                   ` (6 more replies)
  0 siblings, 7 replies; 18+ messages in thread
From: Alexandre Derumier @ 2023-06-04 23:37 UTC (permalink / raw)
  To: pve-devel

add vnet/localbridge permissions management

Hi,
as we has discuted some weeks ago,
this patche serie introduce management of acl for vnets && local bridges

I have reuse current sdn permissions path, to have common paths

/sdn/vnets/<zone>/<vnet>

where the local vmbr are in a virtual "localnetwork" zone

/sdn/vnets/local/<vnet>

Vlans permissions  are also handled with
/sdn/vnets/<zone>/<vnet>/<tag>

if user have permissions on the zone, he have access to all vnets/vlan
if user have permissions on the vnet/tag, he have access to only the specific vlan.
if user have permissions on the vnet, he have access to all vlans of the vnet

I have reworked the sdn zone panel from the tree, to manage permissions
on displayed vnets.

some screenshots:

https://mutulin1.odiso.net/sdnzone-perm.png
https://mutulin1.odiso.net/localzone-perm.png


for proxmox7: (for users be able to add permissions before upgrade to pve8)
pve-access-control: patch1 (to new /vnet/vlan path)
pve-manager : patch1-2 for the new gui


changelog v2:
 - use /vnets/vlan instead /vnets.vlan
 - rework the bridge filtering when user have access only to a specific vlan
 - api2 network: always check bridge access if no filter is defined

todo:
 - add permissions on clone/restore ?



pve-access-control:

Alexandre Derumier (2):
  access control: add /sdn/vnets/<vnet>/<vlan> path
  rpcenvironnment: add check_sdn_bridge

 src/PVE/AccessControl.pm  |  1 +
 src/PVE/RPCEnvironment.pm | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)


pve-manager:

Alexandre Derumier (3):
  add vnet permissions panel
  add permissions management for "localnetwork" zone
  api2: network: check permissions for local bridges

 PVE/API2/Cluster.pm                  |  12 ++
 PVE/API2/Network.pm                  |  26 ++-
 www/manager6/Makefile                |   2 +
 www/manager6/sdn/Browser.js          |  17 +-
 www/manager6/sdn/VnetACLView.js      | 299 +++++++++++++++++++++++++++
 www/manager6/sdn/ZoneContentPanel.js |  41 ++++
 www/manager6/sdn/ZoneContentView.js  |  52 ++++-
 7 files changed, 420 insertions(+), 29 deletions(-)
 create mode 100644 www/manager6/sdn/VnetACLView.js
 create mode 100644 www/manager6/sdn/ZoneContentPanel.js

qemu-server:

Alexandre Derumier (1):
  api2: add check_bridge_access for create/update vm

 PVE/API2/Qemu.pm | 38 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)


-- 
2.30.2




^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2023-06-06 12:37 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-04 23:37 [pve-devel] [PATCH-SERIE pve-access-control/pve-manager/qemu-server] check permissions on local bridge Alexandre Derumier
2023-06-04 23:37 ` [pve-devel] [PATCH pve-access-control 1/2] access control: add /sdn/vnets/<vnet>/<vlan> path Alexandre Derumier
2023-06-04 23:37 ` [pve-devel] [PATCH v2 pve-manager 1/3] add vnet permissions panel Alexandre Derumier
2023-06-04 23:37 ` [pve-devel] [PATCH v2 qemu-server 1/1] api2: add check_bridge_access for create/update vm Alexandre Derumier
2023-06-05  7:38   ` Thomas Lamprecht
2023-06-06  4:20     ` DERUMIER, Alexandre
2023-06-05 10:12   ` Fabian Grünbichler
2023-06-04 23:37 ` [pve-devel] [PATCH v2 pve-manager 2/3] add permissions management for "localnetwork" zone Alexandre Derumier
2023-06-04 23:37 ` [pve-devel] [PATCH pve-access-control 2/2] rpcenvironnment: add check_sdn_bridge Alexandre Derumier
2023-06-05 10:12   ` Fabian Grünbichler
2023-06-06 12:15     ` DERUMIER, Alexandre
2023-06-06 12:37       ` Fabian Grünbichler
2023-06-04 23:37 ` [pve-devel] [PATCH v2 pve-manager 3/3] api2: network: check permissions for local bridges Alexandre Derumier
2023-06-05 10:13 ` [pve-devel] [PATCH-SERIE pve-access-control/pve-manager/qemu-server] check permissions on local bridge Fabian Grünbichler
2023-06-06  5:32   ` DERUMIER, Alexandre
2023-06-06  6:54     ` DERUMIER, Alexandre
2023-06-06  7:43       ` Fabian Grünbichler
2023-06-06  7:31     ` Fabian Grünbichler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal