[pdm-devel] [PATCH proxmox-datacenter-manager 8/9] api: add permissions for ip-vrf and mac-vrf endpoints
Gabriel Goller
g.goller at proxmox.com
Wed Nov 12 14:20:25 CET 2025
The ip-vrf and mac-vrf endpoints expose EVPN zone and vnet information
but currently lack access control. Add permission checks that require
Audit privileges on the respective zone or vnet.
Signed-off-by: Gabriel Goller <g.goller at proxmox.com>
---
server/src/api/nodes/sdn.rs | 52 +++++++++++++++++++++++++++++++++++--
1 file changed, 50 insertions(+), 2 deletions(-)
diff --git a/server/src/api/nodes/sdn.rs b/server/src/api/nodes/sdn.rs
index 065ebe07846e..ee857ea9eee9 100644
--- a/server/src/api/nodes/sdn.rs
+++ b/server/src/api/nodes/sdn.rs
@@ -1,4 +1,4 @@
-use anyhow::{anyhow, Error};
+use anyhow::{anyhow, format_err, Error};
use http::StatusCode;
use pdm_api_types::{remotes::REMOTE_ID_SCHEMA, sdn::SDN_ID_SCHEMA, NODE_SCHEMA};
@@ -9,6 +9,10 @@ use pve_api_types::{SdnVnetMacVrf, SdnZoneIpVrf};
use crate::api::pve::{connect, get_remote};
mod zones {
+ use pdm_api_types::{Authid, PRIV_RESOURCE_AUDIT};
+ use proxmox_access_control::CachedUserInfo;
+ use proxmox_router::{http_bail, Permission, RpcEnvironment};
+
use super::*;
const ZONE_SUBDIRS: SubdirMap = &[("ip-vrf", &Router::new().get(&API_METHOD_GET_IP_VRF))];
@@ -28,13 +32,33 @@ mod zones {
},
},
returns: { type: SdnZoneIpVrf },
+ access: {
+ permission: &Permission::Anybody,
+ description: "The user needs to have at least the `Resource.Audit` privilege on
+ `/resource/{remote}/sdn/zone/{zone}`."
+ }
)]
/// Get the IP-VRF for an EVPN zone for a node on a given remote
async fn get_ip_vrf(
remote: String,
node: String,
zone: String,
+ rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<SdnZoneIpVrf>, Error> {
+ let user_info = CachedUserInfo::new()?;
+
+ let auth_id: Authid = rpcenv
+ .get_auth_id()
+ .ok_or_else(|| format_err!("no authid available"))?
+ .parse()?;
+
+ if user_info.lookup_privs(&auth_id, &["resource", &remote, "sdn", "zone", &zone])
+ & PRIV_RESOURCE_AUDIT
+ == 0
+ {
+ http_bail!(FORBIDDEN, "user has no access to {remote}/sdn/zone/{zone}");
+ }
+
let (remote_config, _) = pdm_config::remotes::config()?;
let remote = get_remote(&remote_config, &remote)?;
let client = connect(remote)?;
@@ -52,6 +76,10 @@ mod zones {
}
mod vnets {
+ use pdm_api_types::{Authid, PRIV_RESOURCE_AUDIT};
+ use proxmox_access_control::CachedUserInfo;
+ use proxmox_router::{http_bail, Permission, RpcEnvironment};
+
use super::*;
const VNET_SUBDIRS: SubdirMap = &[("mac-vrf", &Router::new().get(&API_METHOD_GET_MAC_VRF))];
@@ -71,16 +99,36 @@ mod vnets {
},
},
returns: { type: SdnVnetMacVrf },
+ access: {
+ permission: &Permission::Anybody,
+ description: "The user needs to have at least the `Resource.Audit` privilege on
+ `/resource/{remote}/sdn/vnet/{vnet}`."
+ }
)]
/// Get the MAC-VRF for an EVPN vnet for a node on a given remote
async fn get_mac_vrf(
remote: String,
node: String,
vnet: String,
+ rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<SdnVnetMacVrf>, Error> {
+ let user_info = CachedUserInfo::new()?;
+
+ let auth_id: Authid = rpcenv
+ .get_auth_id()
+ .ok_or_else(|| format_err!("no authid available"))?
+ .parse()?;
+
+ if user_info.lookup_privs(&auth_id, &["resource", &remote, "sdn", "vnet", &vnet])
+ & PRIV_RESOURCE_AUDIT
+ == 0
+ {
+ http_bail!(FORBIDDEN, "user has no access to {remote}/sdn/vnet/{vnet}");
+ }
+
let (remote_config, _) = pdm_config::remotes::config()?;
let remote = get_remote(&remote_config, &remote)?;
- let client = connect(&remote)?;
+ let client = connect(remote)?;
client
.get_vnet_mac_vrf(&node, &vnet)
--
2.47.3
More information about the pdm-devel
mailing list