From: Jakob Klocker <j.klocker@proxmox.com>
To: pve-devel@lists.proxmox.com
Cc: Jakob Klocker <j.klocker@proxmox.com>
Subject: [PATCH manager/access-control 0/3] fix #7513: fine-grained ACL for node certificates
Date: Thu, 28 May 2026 13:35:01 +0200 [thread overview]
Message-ID: <20260528113505.12961-1-j.klocker@proxmox.com> (raw)
Managing node certificates currently requires broad /nodes/{node}
permissions, which violates the least-privilege principle. This
series adds /nodes/{node}/certificates as a dedicated ACL path and
moves the relevant permission checks onto it, so certificate
management can be done without granting node-wide rights.
The pve-access-control patch registers the new ACL path and must be
applied first. The pve-manager patches depend on it for the API
permission checks and the GUI path selector.
pve-access-control:
Jakob Klocker (1):
fix #7513: acl: allow ACL access to /nodes/{node}/certificates path
src/PVE/AccessControl.pm | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
pve-manager:
Jakob Klocker (2):
fix #7513: api: certs: change ACL on certificates path
fix #7513: ui: perm path store: add per-node certificates ACL path
PVE/API2/ACME.pm | 6 +++---
PVE/API2/Certificates.pm | 4 ++--
www/manager6/data/PermPathStore.js | 11 +++++++++--
3 files changed, 14 insertions(+), 7 deletions(-)
--
2.47.3
next reply other threads:[~2026-05-28 11:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-28 11:35 Jakob Klocker [this message]
2026-05-28 11:35 ` [PATCH access-control 1/3] fix #7513: acl: allow ACL access to /nodes/{node}/certificates path Jakob Klocker
2026-05-28 11:35 ` [PATCH manager 2/3] fix #7513: api: certs: change ACL on certificates path Jakob Klocker
2026-05-28 11:35 ` [PATCH manager 3/3] fix #7513: ui: perm path store: add per-node certificates ACL path Jakob Klocker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260528113505.12961-1-j.klocker@proxmox.com \
--to=j.klocker@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox