[pve-devel] [PATCH pve-access-control 2/2] rpcenvironnment: add check_sdn_bridge
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Jun 6 14:37:05 CEST 2023
On June 6, 2023 2:15 pm, DERUMIER, Alexandre wrote:
>> > + # check propagate on bridge itself
>> > + return 1 if $self->check_any($username, $path, $privs,
>> > $noerr);
>>
>> this doesn't actually check propagation though? for that you could
>> either:
>> - use $self->permissions (it returns the propagate bit)
>> - query a non-existing vlan child path with check_any
>>
>>
>
> do we really need to check propagation ?
>
> Here, we want to check if user have permission to the bridge,
>
> if user have an acl on a vlan of the bridge
>
> or
>
> if user have access to the bridge (propagate or not).
>
> for example, if I check with a dummy vlanid ,/sdn/zones/myzone/vnet1/0,
>
> It'll be ok if user have propagate on vnet1, but not if user
> don't have propagate
you are right, we don't need to check for propagation here. so basically
we have two parts - maybe those could be added as a comment, and another
higher-level one for the whole helper to make it clear what it actually
checks:
# checks whether user has $privs on the bridge/vnet in any fashion
sub check_sdn_bridge {
..
# check explicit VLAN tag ACLs
..
# check bridge/vnet itself
..
}
and then we could also turn the order around, and check the bridge
first as a fast path that does less work?
More information about the pve-devel
mailing list