[pve-devel] [PATCH cluster v10 4/5] datacenter.cfg: add tag rights control to the datacenter config

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Nov 16 09:54:22 CET 2022


Am 16/11/2022 um 09:47 schrieb Dominik Csapak:
>> I am not sure the second sentence is necessary, or rather, wouldn't it be better
>> to make the two lists mutually exclusive? e.g., by removing privileged tags from
>> the other list?
> 
> i don't really want to auto remove stuff from one option when set on another.
> maybe it'd make more sense if we don't allow setting and admin tag when
> it's already set in the 'user-allow-list' and vice versa? then
> there cannot be a situation where a tag is in both lists at the same time?
> 


Limits use cases, as we'll only ever allow priv'd tags to be used for things
like backup job guest-source selection, and there may be scenarios where an
admin wants to allow the user to set a specific privileged tags in the VMs
they control.

To make that work we'd:
- explicitly allow such listed tags for "normal" VM users even if they're in the
  privileged-tags (that's why I used the term "registered" in previous comments,
  might be better suited if we deem that privileged is then confusing)

- highlight the fact if a tag is in both



More information about the pve-devel mailing list