[pve-devel] [PATCH cluster v10 4/5] datacenter.cfg: add tag rights control to the datacenter config

Wed Nov 16 10:51:17 CET 2022

On November 16, 2022 10:40 am, Thomas Lamprecht wrote:
> Am 16/11/2022 um 10:31 schrieb Fabian Grünbichler:
>>>> ok, then i have to change the permission checking code (currently i forbid
>>>> 'normal' users the tag if it was in the 'privileged-tags' section, regardless
>>>>  if it was in the 'user-allow-list' or not)
>>> maybe wait on Fabian's opinion on that, I don't want to push this to strongly
>>> but can imagine that it might be sensible and useful, and hard to change later.
>> If we say vzdump should only use privileged tags for backup inclusion logic (to
>> avoid unprivileged users adding that tag to their VM and causing it to be backed
>> up), but then make some of those tags effectively non-privileged (which allows
>> exactly that), why do we have the restriction in vzdump in the first place?
> 
> maybe re-read my scenario, feels like you're missing a bit here, maybe name it
> "registered-tags" as suggested to make the confusion go away.
> 
>> 
>> that sounds like a complicated way (with lots of side-effects, because
> 
> it's very simple?
> 
>> privileged tags might be used in other places in the future as well) to make the
>> "vzdump should only use privileged tags" part configurable.. maybe there should
>> simply be a list of "vzdump tags" in addition to the privileged ones? those
>> would then be unprivileged, but the scope of "these allow vzdump job inclusion"
>> is clear and limited. or we just keep "vzdump only looks at privileged tags" for
>> now to keep it simple - extending that one way or another in the future is
>> always possible if it is restricted now, the other way is harder 😉
> 
> not sure where you get complicated?
> 
> - You have a list of tags that are useable for backup source
>

the problem is that this list of tags might also be used for other things than
backup source (either by PVE, or by custom tooling) where the difference between
(who can set a) "regular tag" and (a) "privileged/registered/.. tag" matters.

> - You have a mode where you can say that a list of tags that "normal VM admins" can use
> 
> - If they intersect then a "normal VM admin" can use it too
> 
> If you want to give a user control of what a (admin controlled!) job includes in
> terms of guests then you can do so easily by also allowing the registered tag, if
> not then don't? Note that not all setups host externally mostly untrusted guests/
> users, the bigger market for us is those where a admin has a trust basis and also
> no problem in giving control

I understand the issue/scenario, but I think the missing scope restricts us down
the line when we want to start using the difference between "registered"
(restricted?) tags and normal ones for other things besides vzdump - because the
admin when lifting the restriction might not be aware of the implication that
this doesn't just affect vzdump jobs (for example, because the other feature
that also uses the list of special tags is not even implemented yet at that
point). if we don't care about that then sure, we can just have two lists and
allow tags being in both, but it should come with a warning about the
implications ;)