public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [RFC PATCH docs 4/4] pveum: document 'additive' ACL option
Date: Thu, 16 Jul 2026 01:20:02 +0200	[thread overview]
Message-ID: <20260715232121.1009607-5-t.lamprecht@proxmox.com> (raw)
In-Reply-To: <20260715232121.1009607-1-t.lamprecht@proxmox.com>

The additive flag overrides the default "deeper replaces upper" rule
for individual ACL entries. Describe the semantics, the interaction
with NoAccess, and the requirement for 'propagate' so admins can
choose between replace-based scoped delegation and accumulate-based
broad permissions.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 pveum.adoc | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/pveum.adoc b/pveum.adoc
index d089cb6..b8781e1 100644
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -983,6 +983,54 @@ set by default). We use the following inheritance rules:
 Additionally, privilege separated tokens can never have permissions on any
 given path that their associated user does not have.
 
+[[pveum_additive_permissions]]
+Additive Permissions
+++++++++++++++++++++
+
+By default, an ACL entry on a deeper path fully replaces the roles inherited
+from ancestor paths. Sometimes you want a broader set of permissions granted
+at a high level to remain in effect even where a more specific ACL entry is
+set below. A typical case is auditors that should keep read access across
+the entire tree regardless of scoped delegations further down.
+
+Setting the `additive` flag on an ACL entry makes its roles accumulate rather
+than be replaced: the entry's roles are merged with roles granted by more
+specific ACL entries below, instead of being overridden by them.
+
+For example, granting an `auditors` group `PVEAuditor` additively at the
+root path:
+
+----
+# pveum acl modify / --groups auditors --roles PVEAuditor --propagate 1 --additive 1
+----
+
+then assigning a regular non-additive role to a user on a specific VM:
+
+----
+# pveum acl modify /vms/100 --users alice@pve --roles PVEVMAdmin
+----
+
+leaves `alice@pve` (assuming they are a member of the `auditors` group) with
+both `PVEAuditor` (carried from the additive ancestor entry) and
+`PVEVMAdmin` (from the direct ACL) when accessing VM 100.
+
+Notes:
+
+* `additive` requires `propagate` to be set; an entry that does not cascade
+  down has nothing to merge into deeper paths.
+* `additive` is independent of tier precedence: even when a higher-tier ACL
+  entry (`token` over `user` over `group`) wins the role set at a given
+  level, additive roles from any tier at that level still carry forward.
+* `NoAccess` on an additive entry blocks all access at deeper paths, even
+  against roles granted by more specific ACL entries below. Conversely, a
+  non-additive `NoAccess` set at a deeper path cancels carried additive
+  roles at and below that path, matching the rule that `NoAccess` cancels
+  all other roles on a given path.
+* Privilege separated API tokens are evaluated against their own ACL tree.
+  Additive entries on the underlying user do not leak into the token's
+  effective roles; its effective privileges remain the intersection of its
+  own ACL grants and the user's privileges.
+
 [[pveum_pools]]
 Pools
 ~~~~~

base-commit: f2632cea11fc1000ddff53249527ca2493372a13
-- 
2.47.3





      parent reply	other threads:[~2026-07-15 23:22 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-15 23:19 [RFC PATCH 0/4] add 'additive' flag to ACL entries Thomas Lamprecht
2026-07-15 23:19 ` [RFC PATCH access-control 1/4] acl: support 'additive' option on " Thomas Lamprecht
2026-07-15 23:20 ` [RFC PATCH access-control 2/4] api: acl: expose 'additive' flag via GET and PUT Thomas Lamprecht
2026-07-15 23:20 ` [RFC PATCH manager 3/4] ui: acl: expose the 'additive' ACL flag Thomas Lamprecht
2026-07-15 23:20 ` Thomas Lamprecht [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260715232121.1009607-5-t.lamprecht@proxmox.com \
    --to=t.lamprecht@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal