[pve-devel] [PATCH cluster v10 4/5] datacenter.cfg: add tag rights control to the datacenter config

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Nov 16 10:10:32 CET 2022


Am 16/11/2022 um 10:04 schrieb Dominik Csapak:
> On 11/16/22 09:54, Thomas Lamprecht wrote:
>> Am 16/11/2022 um 09:47 schrieb Dominik Csapak:
>>>> I am not sure the second sentence is necessary, or rather, wouldn't it be better
>>>> to make the two lists mutually exclusive? e.g., by removing privileged tags from
>>>> the other list?
>>>
>>> i don't really want to auto remove stuff from one option when set on another.
>>> maybe it'd make more sense if we don't allow setting and admin tag when
>>> it's already set in the 'user-allow-list' and vice versa? then
>>> there cannot be a situation where a tag is in both lists at the same time?
>>>
>>
>>
>> Limits use cases, as we'll only ever allow priv'd tags to be used for things
>> like backup job guest-source selection, and there may be scenarios where an
>> admin wants to allow the user to set a specific privileged tags in the VMs
>> they control.
>>
>> To make that work we'd:
>> - explicitly allow such listed tags for "normal" VM users even if they're in the
>>    privileged-tags (that's why I used the term "registered" in previous comments,
>>    might be better suited if we deem that privileged is then confusing)
>>
>> - highlight the fact if a tag is in both
>>
> 
> ok, then i have to change the permission checking code (currently i forbid
> 'normal' users the tag if it was in the 'privileged-tags' section, regardless
>  if it was in the 'user-allow-list' or not)

maybe wait on Fabian's opinion on that, I don't want to push this to strongly
but can imagine that it might be sensible and useful, and hard to change later.

> 
> how would you highlight that? a warning on the cli/syslog/etc. is not
> visible, but on the ui we don't really have an obvious place to do so
> 
> i could try to add a seperate 'warning' row in the object grid when
> that happens, not sure if that's what you meant though
> 

Syslog is never the place for such things, needs to happen on edit, and for
now there's no CLI so GUI is the only place we need to care about (edit cfgs
manually -> be on your own).

So a bottom section that shows a hints about the tags that are in both lists,
the hint would then be located in the edit windows for registered and allowed-list
of tags, so it doesn't necessarily needs to be inline (i.e., some highlight in
the existing tag edit).





More information about the pve-devel mailing list