[pve-devel] applied: [PATCH access-control v5 1/1] add privileges and paths for cluster resource mapping

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Jun 7 19:03:05 CEST 2023


Am 06/06/2023 um 15:52 schrieb Dominik Csapak:
> uses the privileges:
> 
> Mapping.Use
> Mapping.Modify
> Mapping.Audit
> 
> on /mapping/{TYPE}/{id}
> 
> so that we can assign privileges on resource level
> 
> this will generate new roles (PVEMappingUser, PVEMappingAdmin,
> PVEMappingAuditor)
> 
> note that every user with Permissions.Modify on '/' and propagate can add these
> new roles to themselves
> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> changes from v4:
> * administrator retains the mapping privs
> * add Mapping.Audit priv
> * slight modification of the regex for types only (remove trailing slash)
> * add Permissions.Modify to regex of compute_api_permission
> 
>  src/PVE/AccessControl.pm  | 19 +++++++++++++++++++
>  src/PVE/RPCEnvironment.pm |  3 ++-
>  2 files changed, 21 insertions(+), 1 deletion(-)
> 
>

applied, thanks!

Albeit I shortly hesitated w.r.t. ACL path regex, from my gut feeling I'd have
liked it slightly more if we'd enforce that the components begin with a character
from [:alnum:], but as SDN and pools already are a bit more flexible I did not
care enough to "fix" that.





More information about the pve-devel mailing list