[pve-devel] [PATCH cluster v10 4/5] datacenter.cfg: add tag rights control to the datacenter config
Thomas Lamprecht
t.lamprecht at proxmox.com
Wed Nov 16 10:40:32 CET 2022
Am 16/11/2022 um 10:31 schrieb Fabian Grünbichler:
>>> ok, then i have to change the permission checking code (currently i forbid
>>> 'normal' users the tag if it was in the 'privileged-tags' section, regardless
>>> if it was in the 'user-allow-list' or not)
>> maybe wait on Fabian's opinion on that, I don't want to push this to strongly
>> but can imagine that it might be sensible and useful, and hard to change later.
> If we say vzdump should only use privileged tags for backup inclusion logic (to
> avoid unprivileged users adding that tag to their VM and causing it to be backed
> up), but then make some of those tags effectively non-privileged (which allows
> exactly that), why do we have the restriction in vzdump in the first place?
maybe re-read my scenario, feels like you're missing a bit here, maybe name it
"registered-tags" as suggested to make the confusion go away.
>
> that sounds like a complicated way (with lots of side-effects, because
it's very simple?
> privileged tags might be used in other places in the future as well) to make the
> "vzdump should only use privileged tags" part configurable.. maybe there should
> simply be a list of "vzdump tags" in addition to the privileged ones? those
> would then be unprivileged, but the scope of "these allow vzdump job inclusion"
> is clear and limited. or we just keep "vzdump only looks at privileged tags" for
> now to keep it simple - extending that one way or another in the future is
> always possible if it is restricted now, the other way is harder 😉
not sure where you get complicated?
- You have a list of tags that are useable for backup source
- You have a mode where you can say that a list of tags that "normal VM admins" can use
- If they intersect then a "normal VM admin" can use it too
If you want to give a user control of what a (admin controlled!) job includes in
terms of guests then you can do so easily by also allowing the registered tag, if
not then don't? Note that not all setups host externally mostly untrusted guests/
users, the bigger market for us is those where a admin has a trust basis and also
no problem in giving control
More information about the pve-devel
mailing list