[pve-devel] [PATCH cluster v10 4/5] datacenter.cfg: add tag rights control to the datacenter config
Thomas Lamprecht
t.lamprecht at proxmox.com
Wed Nov 16 09:54:22 CET 2022
Am 16/11/2022 um 09:47 schrieb Dominik Csapak:
>> I am not sure the second sentence is necessary, or rather, wouldn't it be better
>> to make the two lists mutually exclusive? e.g., by removing privileged tags from
>> the other list?
>
> i don't really want to auto remove stuff from one option when set on another.
> maybe it'd make more sense if we don't allow setting and admin tag when
> it's already set in the 'user-allow-list' and vice versa? then
> there cannot be a situation where a tag is in both lists at the same time?
>
Limits use cases, as we'll only ever allow priv'd tags to be used for things
like backup job guest-source selection, and there may be scenarios where an
admin wants to allow the user to set a specific privileged tags in the VMs
they control.
To make that work we'd:
- explicitly allow such listed tags for "normal" VM users even if they're in the
privileged-tags (that's why I used the term "registered" in previous comments,
might be better suited if we deem that privileged is then confusing)
- highlight the fact if a tag is in both
More information about the pve-devel
mailing list