[pdm-devel] [PATCH datacenter-manager v2 1/3] fix #6901: api: add explicit permission check for controllers list
Shan Shaji
s.shaji at proxmox.com
Tue Nov 4 10:30:38 CET 2025
On Mon Nov 3, 2025 at 2:40 PM CET, Lukas Wagner wrote:
> Hi Shan, thanks a lot for the patch!
>
> One comment inline, apart from that it looks good to me.
>
> On Fri Oct 17, 2025 at 3:02 PM CEST, Shan Shaji wrote:
>> When a non-root user tried to access the EVPN section, the API was
>> throwing "403: permission check failed" error. To fix this, add
>> explicit permission check for the `/controller` endpoint.
>>
>> Now every authenticated user can access the endpoint however, the user
>> needs to have at least `Resource.Audit` permission under `/resource`.
>> Only the controllers from remotes which the user has `Resource.Audit`
>> privilege on `/remote/{remote_name}` will be included in the returned
>> list.
>>
>> Signed-off-by: Shan Shaji <s.shaji at proxmox.com>
>> ---
>> server/src/api/sdn/controllers.rs | 30 ++++++++++++++++++++++++++----
>> 1 file changed, 26 insertions(+), 4 deletions(-)
>>
>> diff --git a/server/src/api/sdn/controllers.rs b/server/src/api/sdn/controllers.rs
>> index 271397a..649d668 100644
>> --- a/server/src/api/sdn/controllers.rs
>> +++ b/server/src/api/sdn/controllers.rs
>> @@ -1,10 +1,11 @@
>> use std::collections::HashSet;
>>
>> -use anyhow::Error;
>> +use anyhow::{format_err, Error};
>>
>> use pbs_api_types::REMOTE_ID_SCHEMA;
>> -use pdm_api_types::{remotes::RemoteType, sdn::ListController};
>> -use proxmox_router::Router;
>> +use pdm_api_types::{remotes::RemoteType, sdn::ListController, Authid, PRIV_RESOURCE_AUDIT};
>> +use proxmox_access_control::CachedUserInfo;
>> +use proxmox_router::{http_bail, Permission, Router, RpcEnvironment};
>> use proxmox_schema::api;
>> use pve_api_types::ListControllersType;
>>
>> @@ -49,6 +50,12 @@ pub const ROUTER: Router = Router::new().get(&API_METHOD_LIST_CONTROLLERS);
>> type: ListController,
>> },
>> },
>> + access: {
>> + permission: &Permission::Anybody,
>> + description: "The user needs to have at least the `Resource.Audit` privilege under `/resource`.
>> + Only controllers from remotes for which the user has `Resource.Audit` on `/remote/{remote_name}`
>
> I think there is a typo here, as far as I can tell the ACL path should
> be /resource/{remote_name}? Also applies to the other two patches.
Hi Lukas, Thank you so much for the review. I will send an updated patch.
>
>> + will be included in the returned list."
>> + }
>> )]
>> /// Query controllers of remotes with optional filtering options
>> pub async fn list_controllers(
>> @@ -56,10 +63,25 @@ pub async fn list_controllers(
>> running: Option<bool>,
>> ty: Option<ListControllersType>,
>> remotes: Option<HashSet<String>>,
>> + rpcenv: &mut dyn RpcEnvironment,
>> ) -> Result<Vec<ListController>, Error> {
>> + let user_info = CachedUserInfo::new()?;
>> +
>> + let auth_id: Authid = rpcenv
>> + .get_auth_id()
>> + .ok_or_else(|| format_err!("no authid available"))?
>> + .parse()?;
>> +
>> + if !user_info.any_privs_below(&auth_id, &["resource"], PRIV_RESOURCE_AUDIT)? {
>> + http_bail!(FORBIDDEN, "user has no access to resources");
>> + }
>> +
>> let (remote_config, _) = pdm_config::remotes::config()?;
>> + let authorized_remotes = remote_config.into_iter().filter(|(remote_name, _)| {
>> + user_info.lookup_privs(&auth_id, &["resource", &remote_name]) & PRIV_RESOURCE_AUDIT != 0
>> + });
>>
>> - let filtered_remotes = remote_config.into_iter().filter_map(|(_, remote)| {
>> + let filtered_remotes = authorized_remotes.filter_map(|(_, remote)| {
>> if remote.ty == RemoteType::Pve
>> && remotes
>> .as_ref()
More information about the pdm-devel
mailing list