[pve-devel] [PATCH pve-guest-common 1/1] helpers : add check_vnet_access
Alexandre Derumier
aderumier at odiso.com
Tue Jun 6 15:19:22 CEST 2023
if a tag is defined, test if user have a specific access to the vlan (or propagate from full bridge acl or zone)
if no tag, test if user have access to full bridge. (if trunks are defined, it need also access to full bridge)
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
src/PVE/GuestHelpers.pm | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/src/PVE/GuestHelpers.pm b/src/PVE/GuestHelpers.pm
index b4ccbaa..53c63e8 100644
--- a/src/PVE/GuestHelpers.pm
+++ b/src/PVE/GuestHelpers.pm
@@ -10,10 +10,17 @@ use PVE::Storage;
use POSIX qw(strftime);
use Scalar::Util qw(weaken);
+my $have_sdn;
+eval {
+ require PVE::Network::SDN;
+ $have_sdn = 1;
+};
+
use base qw(Exporter);
our @EXPORT_OK = qw(
assert_tag_permissions
+check_vnet_access
get_allowed_tags
safe_boolean_ne
safe_num_ne
@@ -366,4 +373,22 @@ sub get_unique_tags {
return !$no_join_result ? join(';', $res->@*) : $res;
}
+sub check_vnet_access {
+ my ($rpcenv, $authuser, $vnet, $tag) = @_;
+
+ my $zone = 'localnetwork';
+
+ if ($have_sdn) {
+ my $vnet_cfg = PVE::Network::SDN::Vnets::config();
+ if (defined(my $vnet = PVE::Network::SDN::Vnets::sdn_vnets_config($vnet_cfg, $vnet, 1))) {
+ $zone = $vnet->{zone};
+ }
+ }
+
+ # if a tag is defined, test if user have a specific access to the vlan (or propagated from full bridge acl)
+ $rpcenv->check($authuser, "/sdn/zones/$zone/$vnet/$tag", ['SDN.Use']) if $tag;
+ # if no tag, test if user have access to full bridge. (if trunks are defined, it need also access to full bridge)
+ $rpcenv->check($authuser, "/sdn/zones/$zone/$vnet", ['SDN.Use']);
+}
+
1;
--
2.30.2
More information about the pve-devel
mailing list