From: David Riley <d.riley@proxmox.com>
To: Gabriel Goller <g.goller@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: Re: [PATCH pve-network 5/9] fix #7294: sdn: register api formats for zones and vnets
Date: Fri, 12 Jun 2026 16:17:03 +0200 [thread overview]
Message-ID: <a9ade3a6-3cd7-450f-9951-3a4bd192af68@proxmox.com> (raw)
In-Reply-To: <178127201519.718919.5198816838031871654.b4-reply@b4>
On 6/12/26 3:46 PM, Gabriel Goller wrote:
> On 2026-06-12 14:51 +0200, David Riley wrote:
>> Thanks for the feedback.
>>
>> The intention behind adding this segment to the ACL path is to allow
>> for fine-grained, hierarchical permission scoping, not to couple the
>> ACL system to specific VNet properties.
>>
>> I used vlan as a placeholder for 'tag', but in retrospect, the naming
>> is a bit confusing, and I'm happy to adapt this in a v2.
>>
>> From a permission perspective, including the tag in the path makes
>> sense, as it allows us to restrict pool users to a specific VNet and
>> tag combination.
> Maybe I'm a bit dim, but you mean the VNet tag right -- so the tag I configure
> on each VNet?
No, I don't mean the tag configured on the VNet itself. I mean the
VLAN tag configured on the guest's network interface (NIC) when
attaching the VM to a VLAN-aware VNet.
>> So if you have a pool with a VM, storage and VNet + Tag and assign the
>> pool permissions: PVEVMAdmin, PVESDNUser
>>
>> The user can fully manage this VM, including adding a new NIC, but
>> they can only add it using the exact VNet + Tag combination. Just
>> adding the VNet would not work.
> How is this different than just adding the VNet? Will this restrict the user
> from adding another vlan tag on the VM (when using vlanaware vnets)? Is this
> just to prevent the user from editing the VNet tag?
Yes it will restrict the user.
This is how I tested it (and what I envision the primary use case to
be) is this:
* You create a simple zone.
* In that zone, you create a VNet and make it vlanaware.
* You add this VNet to the pool by selecting the zone, the VNet, and
setting a specific tag (e.g., 1).
The user then gets the following ACL path from the pool:
/sdn/zones/zone/vnet/1
If the user tries to add a network card to their VM using only the
zone and VNet without the VLAN tag, it will fail:
Permission check failed (/sdn/zones/zone/vnet, SDN.Use) (403)
Trying to assign a different VLAN tag (e.g., 2) will also fail:
Permission check failed (/sdn/zones/zone/vnet/2, SDN.Use) (403)
Only using the zone, VNet, and tag 1 will work.
So it effectively allows an admin to share a single VLAN-aware VNet
across multiple pools, strictly isolating users to their assigned
VLANs.
>> Let me know if this makes sense.
>>
>> [snip]
next prev parent reply other threads:[~2026-06-12 14:17 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 14:59 [PATCH access-control/cluster/manager/network/qemu-server 0/9] fix #7294: pool: add SDN VNets as pool members David Riley
2026-06-11 14:59 ` [PATCH pve-manager 1/9] ui: replace var with let to match style guide for variable declaration David Riley
2026-06-11 14:59 ` [PATCH pve-manager 2/9] fix #7294: api: pool: add SDN VNets as pool members David Riley
2026-06-11 14:59 ` [PATCH pve-manager 3/9] fix #7294: ui: " David Riley
2026-06-11 14:59 ` [PATCH pve-access-control 4/9] fix #7294: acl: " David Riley
2026-06-11 14:59 ` [PATCH pve-network 5/9] fix #7294: sdn: register api formats for zones and vnets David Riley
2026-06-12 12:18 ` Gabriel Goller
2026-06-12 12:51 ` David Riley
2026-06-12 13:46 ` Gabriel Goller
2026-06-12 14:17 ` David Riley [this message]
2026-06-11 14:59 ` [PATCH pve-network 6/9] fix #7294: sdn: vnet: update pool members on vnet migration and deletion David Riley
2026-06-11 16:21 ` Gabriel Goller
2026-06-12 6:37 ` David Riley
2026-06-12 8:41 ` Gabriel Goller
2026-06-11 14:59 ` [PATCH pve-cluster 7/9] cluster: add helpers module with version comparison functions David Riley
2026-06-11 14:59 ` [PATCH pve-cluster 8/9] fix #7294: cluster: helpers: add cluster-wide version assertion David Riley
2026-06-11 14:59 ` [PATCH qemu-server 9/9] fix #7294: helpers: use cluster-wide version helper David Riley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a9ade3a6-3cd7-450f-9951-3a4bd192af68@proxmox.com \
--to=d.riley@proxmox.com \
--cc=g.goller@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox