[pve-devel] [PATCH access-control v2 2/6] added acls for Shared Filesystem Directories
Thomas Lamprecht
t.lamprecht at proxmox.com
Mon Jan 16 16:45:52 CET 2023
Am 23/12/2022 um 14:10 schrieb Markus Frank:
> Signed-off-by: Markus Frank <m.frank at proxmox.com>
> ---
> src/PVE/AccessControl.pm | 2 ++
> src/PVE/RPCEnvironment.pm | 12 +++++++++++-
> 2 files changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
> index a95d072..742304c 100644
> --- a/src/PVE/AccessControl.pm
> +++ b/src/PVE/AccessControl.pm
> @@ -1221,6 +1221,8 @@ sub check_path {
> |/storage/[[:alnum:]\.\-\_]+
> |/vms
> |/vms/[1-9][0-9]{2,}
> + |/dirs
> + |/dirs/[[:alnum:]\.\-\_]+
I do not like this too much, iff we expose this at the ACL level I'd rather like to
use a /map/<type>/<id> path, as we need that for Dominik's HW (PCI(e)) mappings anyway,
and I think we could reuse such a mapping ACL object path for even more things (e.g., VMID
(allocation) ranges, CPU cores (for cpu task set/pinning), ...
Besides that, note that our access model normally adds privileges based of the top-level
ACL object path, with the fitting roles - e.g., here that could be Dirs.Audit, Dirs.Modify
Dirs.Use – but with above it will then naturally something like Map.Audit, Map.Modify,
Map.Use.
More information about the pve-devel
mailing list