[pve-devel] [PATCH v2 pve-manager 2/2] api2 : network: anybridge: don't display bridges if user have access to vnets.
Alexandre Derumier
aderumier at odiso.com
Mon Oct 4 08:08:51 CEST 2021
This remove vmbr* from bridgeselector if user have access to vnets.
if user need to have also access to vmbr, we can add a permission
in path "/sdn/vnets/vmbrX"
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
PVE/API2/Network.pm | 21 ++++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm
index a26f36d2..53165660 100644
--- a/PVE/API2/Network.pm
+++ b/PVE/API2/Network.pm
@@ -226,6 +226,7 @@ __PACKAGE__->register_method({
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
+ my $authuser = $rpcenv->get_user();
my $tmp = PVE::INotify::read_file('interfaces', 1);
my $config = $tmp->{data};
@@ -238,20 +239,26 @@ __PACKAGE__->register_method({
delete $ifaces->{lo}; # do not list the loopback device
if ($param->{type}) {
+ my $vnets = {};
+ my $filtered_sdn = undef;
+ my $privs = [ 'SDN.Audit', 'SDN.Allocate' ];
+
+ if ($have_sdn && $param->{type} eq 'any_bridge') {
+ $vnets = PVE::Network::SDN::get_local_vnets();
+ $filtered_sdn = 1 if $authuser ne 'root at pam' && keys %{$vnets} > 0;
+ }
+
foreach my $k (keys %$ifaces) {
my $type = $ifaces->{$k}->{type};
my $match = ($param->{type} eq $type) || (
($param->{type} eq 'any_bridge') &&
($type eq 'bridge' || $type eq 'OVSBridge'));
- delete $ifaces->{$k} if !$match;
+ delete $ifaces->{$k} if !$match || ($filtered_sdn && !$rpcenv->check_any($authuser, "/sdn/vnets/$k", $privs, 1));
}
- if ($have_sdn && $param->{type} eq 'any_bridge') {
- my $vnets = PVE::Network::SDN::get_local_vnets();
- map {
- $ifaces->{$_} = $vnets->{$_};
- } keys %$vnets;
- }
+ map {
+ $ifaces->{$_} = $vnets->{$_};
+ } keys %$vnets;
}
return PVE::RESTHandler::hash_to_array($ifaces, 'iface');
--
2.30.2
More information about the pve-devel
mailing list