[pve-devel] [PATCH v2 pve-manager 2/2] api2 : network: anybridge: don't display bridges if user have access to vnets.

Alexandre Derumier aderumier at odiso.com
Mon Oct 4 08:08:51 CEST 2021


This remove vmbr* from bridgeselector if user have access to vnets.
if user need to have also access to vmbr, we can add a permission
in path "/sdn/vnets/vmbrX"

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 PVE/API2/Network.pm | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm
index a26f36d2..53165660 100644
--- a/PVE/API2/Network.pm
+++ b/PVE/API2/Network.pm
@@ -226,6 +226,7 @@ __PACKAGE__->register_method({
 	my ($param) = @_;
 
 	my $rpcenv = PVE::RPCEnvironment::get();
+	my $authuser = $rpcenv->get_user();
 
 	my $tmp = PVE::INotify::read_file('interfaces', 1);
 	my $config = $tmp->{data};
@@ -238,20 +239,26 @@ __PACKAGE__->register_method({
 	delete $ifaces->{lo}; # do not list the loopback device
 
 	if ($param->{type}) {
+	    my $vnets = {};
+	    my $filtered_sdn = undef;
+	    my $privs = [ 'SDN.Audit', 'SDN.Allocate' ];
+
+	    if ($have_sdn && $param->{type} eq 'any_bridge') {
+		$vnets = PVE::Network::SDN::get_local_vnets();
+		$filtered_sdn = 1 if $authuser ne 'root at pam' && keys %{$vnets} > 0;
+	    }
+
 	    foreach my $k (keys %$ifaces) {
 		my $type = $ifaces->{$k}->{type};
 		my $match =  ($param->{type} eq $type) || (
 		    ($param->{type} eq 'any_bridge') && 
 		    ($type eq 'bridge' || $type eq 'OVSBridge'));
-		delete $ifaces->{$k} if !$match;
+		delete $ifaces->{$k} if !$match || ($filtered_sdn && !$rpcenv->check_any($authuser, "/sdn/vnets/$k", $privs, 1));
 	    }
 
-	    if ($have_sdn && $param->{type} eq 'any_bridge') {
-		my $vnets = PVE::Network::SDN::get_local_vnets();
-		map {
-		    $ifaces->{$_} = $vnets->{$_};
-		} keys %$vnets;
-	    }
+	    map {
+	    	$ifaces->{$_} = $vnets->{$_};
+	    } keys %$vnets;
 	}
 
 	return PVE::RESTHandler::hash_to_array($ifaces, 'iface');
-- 
2.30.2




More information about the pve-devel mailing list