From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 1F2C26E4DC for ; Mon, 23 Aug 2021 18:39:15 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 16DA626B5D for ; Mon, 23 Aug 2021 18:39:15 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id E4B4E26B52 for ; Mon, 23 Aug 2021 18:39:10 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id B02CA43688; Mon, 23 Aug 2021 18:39:10 +0200 (CEST) Message-ID: Date: Mon, 23 Aug 2021 18:39:05 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.0 Content-Language: en-GB To: Proxmox VE development discussion , alexandre derumier References: <20210805145900.3265228-1-aderumier@odiso.com> <20210805145900.3265228-4-aderumier@odiso.com> <144f9c657d3786883f5ed178362323a6e018f6f0.camel@odiso.com> From: Thomas Lamprecht In-Reply-To: <144f9c657d3786883f5ed178362323a6e018f6f0.camel@odiso.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.697 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.959 Looks like a legit reply (A) POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH pve-manager 2/2] api2 : network: anybridge: don't display bridges if user have access to vnets. X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Aug 2021 16:39:15 -0000 On 07/08/2021 18:00, alexandre derumier wrote: > Hi, > abou this patch, I'm not sure it's the right way, a forum user request > that also sdnadmin can view vmbrX. > > I don't known how to hide correctly vmbrX bridge, as currently , we > don't have any permissions management, > and I don't want to break current users setup. > > maybe could we add a special permission like "noaccess" with path like > /bridge/vmbrX  ? > (we currently have a role "noaccess", but it's simply a role without > any permission. > We do not have "revoking privileges", only empty roles so adding that would change the whole ACL system quite a bit and IMO make it a bit more confusing that it already can be. Currently we handle giving more permissions in general but less permissions on a specific ACL object by just always using the more restrictive ACL configurations for specific paths. I.e., if one configures Admin on / with propagate and an empty role (like NoAccess) on /node/foo then they have no Admin privs on the foo node. I.e., you do not need to invent a negative priv. simply setting a empty or less privileged role on a more specific path is enough. So rather the IMO a bit more integrated way of achieving that would be adding a `/nodes//iface/` ACL path or the like. I mean, if we'd be sure it would be only always a bridge then we could avoid making that path node specific, as for them we assume that the one with the same ID are network wise "the same" already on different nodes in a cluster. I mean, we could also just see bridges as a vnet and handle them with the `/sdn/vnets/` path? Checking for every bridge/vnet if some priv. is available, we probably would need two privileges, one for "allowed to use" and a "allowed to modify" priv. (disclaimer, fresh back from vacation and did not really looked into this in detail, so just holler if something is stupid or not fitting the existing permission stuff of SDN :)) > > Le jeudi 05 août 2021 à 16:59 +0200, Alexandre Derumier a écrit : >> This remove vmbr* from bridgeselector if user have access to vnets. >> (as currently, we don't have have permission management on vmbr$) >> >> Signed-off-by: Alexandre Derumier >> --- >>  PVE/API2/Network.pm | 19 ++++++++++++------- >>  1 file changed, 12 insertions(+), 7 deletions(-) >> >> diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm >> index a26f36d2..02bd3bdb 100644 >> --- a/PVE/API2/Network.pm >> +++ b/PVE/API2/Network.pm >> @@ -226,6 +226,7 @@ __PACKAGE__->register_method({ >>         my ($param) = @_; >>   >>         my $rpcenv = PVE::RPCEnvironment::get(); >> +       my $authuser = $rpcenv->get_user(); >>   >>         my $tmp = PVE::INotify::read_file('interfaces', 1); >>         my $config = $tmp->{data}; >> @@ -238,20 +239,24 @@ __PACKAGE__->register_method({ >>         delete $ifaces->{lo}; # do not list the loopback device >>   >>         if ($param->{type}) { >> +           my $vnets = {}; >> +           my $filtered_sdn = undef; >> +           if ($have_sdn && $param->{type} eq 'any_bridge') { >> +               $vnets = PVE::Network::SDN::get_local_vnets(); >> +               $filtered_sdn = 1 if $authuser ne 'root@pam' && keys >> %{$vnets} > 0; >> +           } >> + >>             foreach my $k (keys %$ifaces) { >>                 my $type = $ifaces->{$k}->{type}; >>                 my $match =  ($param->{type} eq $type) || ( >>                     ($param->{type} eq 'any_bridge') && >>                     ($type eq 'bridge' || $type eq 'OVSBridge')); >> -               delete $ifaces->{$k} if !$match; >> +               delete $ifaces->{$k} if !$match || $filtered_sdn; >>             } >>   >> -           if ($have_sdn && $param->{type} eq 'any_bridge') { >> -               my $vnets = PVE::Network::SDN::get_local_vnets(); >> -               map { >> -                   $ifaces->{$_} = $vnets->{$_}; >> -               } keys %$vnets; >> -           } >> +           map { >> +               $ifaces->{$_} = $vnets->{$_}; >> +           } keys %$vnets; >>         } >>   >>         return PVE::RESTHandler::hash_to_array($ifaces, 'iface'); > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >