[pve-devel] [PATCH-SERIE pve-access-control/pve-manager/qemu-server] check permissions on local bridge

[Fabian Grünbichler]

On June 6, 2023 8:54 am, DERUMIER, Alexandre wrote:
> Le mardi 06 juin 2023 à 05:32 +0000, DERUMIER, Alexandre a écrit :
>> > to have at least the local bridge ACL path (for the zone, or for
>> > the
>> > zone and the bridges?) in the regular ACL selectors in 7.x as well,
>> > if
>> > we pull in something in pve-manager, than IMHO it should be that,
>> > not
>> > the full-flegded new panels.
>> I'll look to rewrok the selector, vnets are not yet displayed. (only
>> sdn zones, and localnetwork zone is also not displayed )
> 
> Looking at that,
> currently the pathselector is filled from cluster ressources.
> 
> I really don't known if we want to add all vnets to the cluster
> ressources api. (as we don't really want to expose them in the tree
> anyway,  like a disk from a datastore is not exposed. User could have a
> lot bridges, and the ressource json can be already big)
> 
> User could still add manually the bridge in the path if needed.
> 
> User could still use the new panel for easy add more granular
> permissions on bridge/vlan.

I think for PVE 7, we mainly want to provide an easy way to stay
compatible to the old behaviour, that would basically mean:

pveum acl modify /sdn/zones/localnetwork --groups XXX --users YYY --tokens ZZZ --roles PVESDNUser

rinse repeat for any SDN zones if you have any.

for the GUI, the least invasive change would be to just add a hardcoded
ACL selector entry for /sdn/zones/localnetwork (the rest can be done
manually via the GUI or pveum).

note that existing guests continue to work fine, it's just
- creating new ones (from scratch, backup or via clone)
- modifying any virtual nics on any guests

that require the permissions.

PVEAdmins and existing PVESDNAdmins would already have the required
permissions anyway (Administrator as well). so this would mostly affect
PVEVMAdmins and custom roles.