[pve-devel] [PATCH cluster v10 4/5] datacenter.cfg: add tag rights control to the datacenter config

Dominik Csapak d.csapak at proxmox.com
Wed Nov 16 10:04:04 CET 2022


On 11/16/22 09:54, Thomas Lamprecht wrote:
> Am 16/11/2022 um 09:47 schrieb Dominik Csapak:
>>> I am not sure the second sentence is necessary, or rather, wouldn't it be better
>>> to make the two lists mutually exclusive? e.g., by removing privileged tags from
>>> the other list?
>>
>> i don't really want to auto remove stuff from one option when set on another.
>> maybe it'd make more sense if we don't allow setting and admin tag when
>> it's already set in the 'user-allow-list' and vice versa? then
>> there cannot be a situation where a tag is in both lists at the same time?
>>
> 
> 
> Limits use cases, as we'll only ever allow priv'd tags to be used for things
> like backup job guest-source selection, and there may be scenarios where an
> admin wants to allow the user to set a specific privileged tags in the VMs
> they control.
> 
> To make that work we'd:
> - explicitly allow such listed tags for "normal" VM users even if they're in the
>    privileged-tags (that's why I used the term "registered" in previous comments,
>    might be better suited if we deem that privileged is then confusing)
> 
> - highlight the fact if a tag is in both
> 

ok, then i have to change the permission checking code (currently i forbid
'normal' users the tag if it was in the 'privileged-tags' section, regardless
  if it was in the 'user-allow-list' or not)

how would you highlight that? a warning on the cli/syslog/etc. is not
visible, but on the ui we don't really have an obvious place to do so

i could try to add a seperate 'warning' row in the object grid when
that happens, not sure if that's what you meant though





More information about the pve-devel mailing list