From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 355611FF13C for ; Thu, 28 May 2026 13:36:44 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C9EA314EB9; Thu, 28 May 2026 13:36:43 +0200 (CEST) From: Jakob Klocker To: pve-devel@lists.proxmox.com Subject: [PATCH manager/access-control 0/3] fix #7513: fine-grained ACL for node certificates Date: Thu, 28 May 2026 13:35:01 +0200 Message-ID: <20260528113505.12961-1-j.klocker@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.150 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes RDNS_NONE 0.793 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Message-ID-Hash: 7ONGYCFYIYHT4YSRT4HHPK4UVJUMPVW4 X-Message-ID-Hash: 7ONGYCFYIYHT4YSRT4HHPK4UVJUMPVW4 X-MailFrom: root@dev.proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Jakob Klocker X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Managing node certificates currently requires broad /nodes/{node} permissions, which violates the least-privilege principle. This series adds /nodes/{node}/certificates as a dedicated ACL path and moves the relevant permission checks onto it, so certificate management can be done without granting node-wide rights. The pve-access-control patch registers the new ACL path and must be applied first. The pve-manager patches depend on it for the API permission checks and the GUI path selector. pve-access-control: Jakob Klocker (1): fix #7513: acl: allow ACL access to /nodes/{node}/certificates path src/PVE/AccessControl.pm | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) pve-manager: Jakob Klocker (2): fix #7513: api: certs: change ACL on certificates path fix #7513: ui: perm path store: add per-node certificates ACL path PVE/API2/ACME.pm | 6 +++--- PVE/API2/Certificates.pm | 4 ++-- www/manager6/data/PermPathStore.js | 11 +++++++++-- 3 files changed, 14 insertions(+), 7 deletions(-) -- 2.47.3