[pve-devel] is the next pve version 8.0 with debian 12 ? (any planning on patches merge ?)

DERUMIER, Alexandre alexandre.derumier at groupe-cyllene.com
Fri Apr 28 14:04:02 CEST 2023

> not so much spelled out, but yeah, this came up recently again
> because
> of a forum question :)
> I would really like to have the ability to restrict access to bridges
> and bridge-like entities from SDN in 8.0. right now it's only
> possible
> to limit the configuration itself, but not the "usage". for SDN there
> is
> a cosmetic filter in place, but that is only cosmetic, as long as a
> user/token has VM.Config.Network they can use *any* bridge or *any*
> vnet via the API.
Oh yes, you are right, I totally miss that.

> these are the basic parts I've thought of:
> 1.) decide on the ACLs/privs for regular bridges
> - ACL path and privileges shared with SDN
> - OR: ACL path and privileges shared with other per-node hardware
>   entities, like those used for pass-through
> the former is probably more easy, since it means we don't need
> special
> helpers or complicated code when checking access in places where
> either
> a regular bridge or SDN is used.. the advantage of the map would be
> that
> we'd have a single mechanism for defining and giving access to per-
> node
> resources. so not really clear cut (yet)

Personnaly, I think this should be strange to give access to a bridge
on a specific node only.
(Same vmbr name should be same physical network..so if user have access
on the vmbr on a node, you can flood traffic to all nodes where the
vmbr is present).
Also if HA migrate the vm, and user don't have access the vmbr on other
node, that's really stange.

> - which privilege levels do we need?
> - See (Audit), Use, Configure (Admin)?
I think:

- "Use" permission  on vmbr, on vnet, or a whole zone (all vnets)
- "Admin" on a specific zone. (Be able to create/modify vnets  +
(reload sdn????)
- "Admin" on a node to configure local vmbr
- "Audit" for read config on a specific zone

Another thing is vlan tag on vm nic. I really don't known how to handle
permissions. (with sdn, it's 1vnet=1tag).
But it could great to be able to restrict vlans list too.

> 2.) implement access control checks in all the places
> - mostly guest-related: create/restore/update/remote-migrate/clone
> - firewall (rules referencing bridges/vnets? maybe it doesn't matter,
>   since if I can change the host firewall I can already mess stuff
> up,
>   and for the guest firewall I can probably use whatever I want?)
> - SDN (e.g., to configure a zone to use a certain bridge?)
> - node network config (switch from Sys.Modify to SDN.Admin?)
> once the decision on the privileges has been made, we need to
> backport
> any new privileges to the last 7.x version, so that admins can setup
> the
> new ACLs before (partially!) upgrading their clusters, and also to
> avoid
> breaking not-yet-updated nodes when ACLs are modified on already
> upgraded ones.

More information about the pve-devel mailing list