public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [RFC PATCH 0/4] add 'additive' flag to ACL entries
@ 2026-07-15 23:19 Thomas Lamprecht
  2026-07-15 23:19 ` [RFC PATCH access-control 1/4] acl: support 'additive' option on " Thomas Lamprecht
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2026-07-15 23:19 UTC (permalink / raw)
  To: pve-devel

By default a more specific ACL entry on a deeper path fully replaces the
roles inherited from ancestor paths. That works well for scoped
delegation, but it is awkward when a role should apply to a whole
subtree. Take an auditor group that needs read access everywhere: today
that role has to be repeated on every deeper entry, and it quietly stops
applying as soon as someone adds a more specific ACL below.
I run into this frequently on some of our own infra especially if users
are part of multiple groups.

So, to make this a bit easier this series adds an optional per-entry
'additive' flag. An additive entry's roles are carried down the walk and
merged with more specific entries below instead of being replaced;
NoAccess still dominates. On disk it is a compact '+' option field on
the acl: line, exposed via the API and CLI as a boolean 'additive'.
See the docs patch - especially its Notes section - for some more
details.

Sending as RFC mainly for feedback on the overall semantics and also
happy to bikeshed the name and the on-disk '+' encoding (an extensible
option field, so future flags need no new positional column).

Basic docs and UI integration included to make it a bit more complete
and easier to test.

pve-access-control:

  acl: support 'additive' option on ACL entries
  api: acl: expose 'additive' flag via GET and PUT

 src/PVE/API2/ACL.pm       |  75 ++++++++++--
 src/PVE/AccessControl.pm  | 247 +++++++++++++++++++++++++++++---------
 src/test/Makefile         |   2 +
 src/test/api-acl-test.pl  | 223 ++++++++++++++++++++++++++++++++++
 src/test/parser_writer.pl | 149 +++++++++++++++++++++++
 src/test/perm-test9.pl    | 181 ++++++++++++++++++++++++++++
 src/test/test9.cfg        |  86 +++++++++++++
 7 files changed, 898 insertions(+), 65 deletions(-)

pve-manager:

  ui: acl: expose the 'additive' ACL flag

 www/manager6/dc/ACLView.js | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

pve-docs:

  pveum: document 'additive' ACL option

 pveum.adoc | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)


base-commit: dcda7019c90c550995e784c165c9786d5cef4ed3
-- 
2.47.3




^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-07-15 23:22 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-15 23:19 [RFC PATCH 0/4] add 'additive' flag to ACL entries Thomas Lamprecht
2026-07-15 23:19 ` [RFC PATCH access-control 1/4] acl: support 'additive' option on " Thomas Lamprecht
2026-07-15 23:20 ` [RFC PATCH access-control 2/4] api: acl: expose 'additive' flag via GET and PUT Thomas Lamprecht
2026-07-15 23:20 ` [RFC PATCH manager 3/4] ui: acl: expose the 'additive' ACL flag Thomas Lamprecht
2026-07-15 23:20 ` [RFC PATCH docs 4/4] pveum: document 'additive' ACL option Thomas Lamprecht

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal