[pve-devel] [PATCH manager] api2: network: anybridge: re-add regular bridges

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Apr 27 13:36:00 CEST 2022


commit 052fbb2a4d1bdeb490b2e3b67cd7555e460ebe93 introduced permission
checks here that caused all regular bridges to be removed from the
returned list as soon as the SDN package is installed, unless the user
is root at pam or there exists a VNET with the same ID.

this is arguably a breaking change, so limit the priv check to actually
defined VNETs for the time being, and add ALL regular bridges
uncondtionally like before.

get_local_vnets already filters by the same prvs, so we need to get the
full config to find out which IDs are VNETs and which are not.

once/iff we introduce ACL paths for *all* bridges in the future, we can
limit accordingly here.

CC: Alexandre Derumier <aderumier at odiso.com>
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 PVE/API2/Network.pm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm
index 214ab50a..a43579fa 100644
--- a/PVE/API2/Network.pm
+++ b/PVE/API2/Network.pm
@@ -240,13 +240,16 @@ __PACKAGE__->register_method({
 
 	if (my $tfilter = $param->{type}) {
 	    my $vnets;
+	    my $vnet_cfg;
 	    my $can_access_vnet = sub { # only matters for the $have_sdn case, checked implict
 		return 1 if $authuser eq 'root at pam' || !defined($vnets);
+		return 1 if !defined(PVE::Network::SDN::Vnets::sdn_vnets_config($vnet_cfg, $_[0], 1)); # not a vnet
 		$rpcenv->check_any($authuser, "/sdn/vnets/$_[0]", ['SDN.Audit', 'SDN.Allocate'], 1)
 	    };
 
 	    if ($have_sdn && $param->{type} eq 'any_bridge') {
 		$vnets = PVE::Network::SDN::get_local_vnets(); # returns already access-filtered
+		$vnet_cfg = PVE::Network::SDN::Vnets::config();
 	    }
 
 	    for my $k (sort keys $ifaces->%*) {
-- 
2.30.2






More information about the pve-devel mailing list