[pve-devel] applied: [PATCH access-control v5 1/1] add privileges and paths for cluster resource mapping
Thomas Lamprecht
t.lamprecht at proxmox.com
Wed Jun 7 19:03:05 CEST 2023
Am 06/06/2023 um 15:52 schrieb Dominik Csapak:
> uses the privileges:
>
> Mapping.Use
> Mapping.Modify
> Mapping.Audit
>
> on /mapping/{TYPE}/{id}
>
> so that we can assign privileges on resource level
>
> this will generate new roles (PVEMappingUser, PVEMappingAdmin,
> PVEMappingAuditor)
>
> note that every user with Permissions.Modify on '/' and propagate can add these
> new roles to themselves
>
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> changes from v4:
> * administrator retains the mapping privs
> * add Mapping.Audit priv
> * slight modification of the regex for types only (remove trailing slash)
> * add Permissions.Modify to regex of compute_api_permission
>
> src/PVE/AccessControl.pm | 19 +++++++++++++++++++
> src/PVE/RPCEnvironment.pm | 3 ++-
> 2 files changed, 21 insertions(+), 1 deletion(-)
>
>
applied, thanks!
Albeit I shortly hesitated w.r.t. ACL path regex, from my gut feeling I'd have
liked it slightly more if we'd enforce that the components begin with a character
from [:alnum:], but as SDN and pools already are a bit more flexible I did not
care enough to "fix" that.
More information about the pve-devel
mailing list