From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id DCEAA1FF165 for ; Thu, 22 May 2025 18:27:06 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 628B4BEF0; Thu, 22 May 2025 18:26:18 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Date: Thu, 22 May 2025 18:16:49 +0200 Message-Id: <20250522161731.537011-34-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250522161731.537011-1-s.hanreich@proxmox.com> References: <20250522161731.537011-1-s.hanreich@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.367 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH pve-access-control v3 1/1] permissions: add ACL paths for SDN fabrics X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" Add permission path /sdn/fabrics/{fabric_id}. There are currently only SDN-specific permissions for the fabric itself, not the nodes. For displaying / editing the nodes, the existing permissions Sys.Audit or Sys.Modify on /nodes/{node} are required, because they are already used for viewing / editing the network configuration of a node. The node settings mostly revolve around configuring IPs and network interfaces on that node, so we decided to stick with the permission that is already governing that, since it would need to be checked when editing a node anyway. Otherwise, users with access to a fabric node could change parts of the network configuration of arbitrary interfaces that node, circumventing the current permission checks. A separate, SDN-specific, permission would not add much benefit because of that. Signed-off-by: Stefan Hanreich --- src/PVE/AccessControl.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm index 1c79656..70864b0 100644 --- a/src/PVE/AccessControl.pm +++ b/src/PVE/AccessControl.pm @@ -1273,6 +1273,8 @@ sub check_path { |/sdn/controllers/[[:alnum:]\_\-]+ |/sdn/dns |/sdn/dns/[[:alnum:]]+ + |/sdn/fabrics + |/sdn/fabrics/[[:alnum:]]+ |/sdn/ipams |/sdn/ipams/[[:alnum:]]+ |/sdn/zones -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel