From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 31FA78815 for ; Wed, 16 Nov 2022 09:47:28 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 197041C122 for ; Wed, 16 Nov 2022 09:47:28 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 16 Nov 2022 09:47:27 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 60D8543F0C; Wed, 16 Nov 2022 09:47:27 +0100 (CET) Message-ID: <895c5e1e-4de0-19fe-91a0-f604cc451be8@proxmox.com> Date: Wed, 16 Nov 2022 09:47:26 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Thunderbird/107.0 To: Proxmox VE development discussion , =?UTF-8?Q?Fabian_Gr=C3=BCnbichler?= References: <20221115130248.1007325-1-d.csapak@proxmox.com> <20221115130248.1007325-5-d.csapak@proxmox.com> <1668524410.yomu90q6hb.astroid@yuna.none> Content-Language: en-US From: Dominik Csapak In-Reply-To: <1668524410.yomu90q6hb.astroid@yuna.none> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: =?UTF-8?Q?0=0A=09?=AWL 0.066 Adjusted score from AWL reputation of From: =?UTF-8?Q?address=0A=09?=BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict =?UTF-8?Q?Alignment=0A=09?=NICE_REPLY_A -0.001 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF =?UTF-8?Q?Record=0A=09?=SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH cluster v10 4/5] datacenter.cfg: add tag rights control to the datacenter config X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2022 08:47:28 -0000 most of the points are clear and ok for me, but [snip] >> + format => $user_tag_privs_format, >> + }, >> + 'privileged-tags' => { >> + optional => 1, >> + type => 'string', >> + description => "A list of tags that require a `Sys.Modify` on '/') to set and delete. " >> + ."Tags set here that are also in 'user-tag-access' also require `Sys.Modify`.", >> + pattern => "(?:${PVE::JSONSchema::PVE_TAG_RE};)*${PVE::JSONSchema::PVE_TAG_RE}", >> + typetext => "[;...]", > > stray 'a' and ')' in first sentence. > > I am not sure the second sentence is necessary, or rather, wouldn't it be better > to make the two lists mutually exclusive? e.g., by removing privileged tags from > the other list? i don't really want to auto remove stuff from one option when set on another. maybe it'd make more sense if we don't allow setting and admin tag when it's already set in the 'user-allow-list' and vice versa? then there cannot be a situation where a tag is in both lists at the same time?