[pdm-devel] [PATCH datacenter-manager 0/3] fix #6901: allow non root users to access the EVPN dashboard
Stefan Hanreich
s.hanreich at proxmox.com
Wed Oct 15 17:26:00 CEST 2025
We might want to to reimplement more granular permissions as well, while
we're at it. Guests have /remotes/<remote>/guest/<vmid> for instance to
allow setting permissions on a per-guest level.
Imo, nothing speaks against implementing permissions the same way as SDN
currently does, which would then be on PDM side:
/remote/<remote>/sdn/zones/<zone>
/remote/<remote>/sdn/zones/<zone>/<vnet>
/remote/<remote>/sdn/controllers/<controller>
On 10/14/25 5:03 PM, Shan Shaji wrote:
> When a non-root user tried to access the EVPN section, the API was
> returning a "403: permission check failed" error. To fix this, explicit
> permission checks have been added for the `/zones`, `/vnets`, and
> `/controllers` endpoints.
>
> Now, every authenticated user can access these endpoints however, the user
> must have at least the Resource.Audit permission under `/resource`.
> Remotes are also filtered based on the user’s access. Lists will only be
> fetched from remotes for which the user has at least the
> `Resource.Audit` permission on `/remote/{remote_name}`.
>
> Shan Shaji (3):
> fix #6901: api: add explicit permission check for controllers list
> fix #6901: api: add explicit permission check for vnets list
> fix #6901: api: add explicit permission check for zones list
>
> server/src/api/sdn/controllers.rs | 30 ++++++++++++++++++++++++++----
> server/src/api/sdn/vnets.rs | 29 ++++++++++++++++++++++++++---
> server/src/api/sdn/zones.rs | 28 +++++++++++++++++++++++++---
> 3 files changed, 77 insertions(+), 10 deletions(-)
>
More information about the pdm-devel
mailing list