[pdm-devel] [PATCH proxmox-datacenter-manager 7/9] api: sdn: add granular permissions for controllers
Gabriel Goller
g.goller at proxmox.com
Wed Nov 12 14:20:24 CET 2025
Add granular permissions for sdn controllers. This allows us the
specific permissions like:
`/resource/{remote}/sdn/controller/{controller-name}`.
Signed-off-by: Gabriel Goller <g.goller at proxmox.com>
---
server/src/api/sdn/controllers.rs | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/server/src/api/sdn/controllers.rs b/server/src/api/sdn/controllers.rs
index e6ab5367792b..5b58e6307d44 100644
--- a/server/src/api/sdn/controllers.rs
+++ b/server/src/api/sdn/controllers.rs
@@ -54,7 +54,7 @@ pub const ROUTER: Router = Router::new().get(&API_METHOD_LIST_CONTROLLERS);
permission: &Permission::Anybody,
description: "The user needs to have at least the `Resource.Audit` privilege under `/resource`.
Only controllers from remotes for which the user has `Resource.Audit` on `/resource/{remote_name}`
- will be included in the returned list."
+ and `/resource/{remote_name}/sdn/controller/{controller}` will be included in the returned list."
}
)]
/// Query controllers of remotes with optional filtering options
@@ -110,12 +110,20 @@ pub async fn list_controllers(
Ok(remote_result) => {
for (node, node_result) in remote_result.node_results.into_iter() {
match node_result {
- Ok(NodeResults { data, .. }) => {
- controllers.extend(data.into_iter().map(|controller| ListController {
- remote: remote.clone(),
- controller,
- }))
- }
+ Ok(NodeResults { data, .. }) => controllers.extend(
+ data.into_iter()
+ .filter(|c| {
+ user_info.lookup_privs(
+ &auth_id,
+ &["resource", &remote, "sdn", "controller", &c.controller],
+ ) & PRIV_RESOURCE_AUDIT
+ != 0
+ })
+ .map(|controller| ListController {
+ remote: remote.clone(),
+ controller,
+ }),
+ ),
Err(error) => {
log::error!(
"could not fetch controllers from remote {} node {}: {error:#}",
--
2.47.3
More information about the pdm-devel
mailing list