[pve-devel] [PATCH cluster v10 4/5] datacenter.cfg: add tag rights control to the datacenter config
Fabian Grünbichler
f.gruenbichler at proxmox.com
Wed Nov 16 09:51:22 CET 2022
On November 16, 2022 9:47 am, Dominik Csapak wrote:
> most of the points are clear and ok for me, but
> [snip]
>>> + format => $user_tag_privs_format,
>>> + },
>>> + 'privileged-tags' => {
>>> + optional => 1,
>>> + type => 'string',
>>> + description => "A list of tags that require a `Sys.Modify` on '/') to set and delete. "
>>> + ."Tags set here that are also in 'user-tag-access' also require `Sys.Modify`.",
>>> + pattern => "(?:${PVE::JSONSchema::PVE_TAG_RE};)*${PVE::JSONSchema::PVE_TAG_RE}",
>>> + typetext => "<tag>[;<tag>...]",
>>
>> stray 'a' and ')' in first sentence.
>>
>> I am not sure the second sentence is necessary, or rather, wouldn't it be better
>> to make the two lists mutually exclusive? e.g., by removing privileged tags from
>> the other list?
>
> i don't really want to auto remove stuff from one option when set on another.
> maybe it'd make more sense if we don't allow setting and admin tag when
> it's already set in the 'user-allow-list' and vice versa? then
> there cannot be a situation where a tag is in both lists at the same time?
forbidding it on the API level (and maybe, to catch bugs, when writing the
config) is only part of it though - such duplicates would need to be filtered
out when parsing as well, else they can sneak in via a manual config file edit.
but yeah, that would work as well I think.
More information about the pve-devel
mailing list