[pve-devel] applied-series: [PATCH-SERIE pve-access-control/pve-manager/pve-guest-common/qemu-server/pve-network] check permissions on local bridge

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Jun 12 16:39:24 CEST 2023 

applied the pve-manager and pve-network patches (and your pve-network
follow-up, plus some fixes of my own).

some more things that might be worthy of a follow-up:
- for the ACL panel of a zone, also displaying the vnet + vlan ACLs
  might be nice
- for the ACL panel fo a vnet, also displaying zone ACLs of the vnet
  zone might be nice

this would be similar to how we display datastore permissions in the PBS
GUI (I know that other specific permission views in PVE are also lacking
this, but for VNETs it's especially visible ;))

- the ACL Add button is not correctly initialized with a disabled state
  before the first vnet is selected

On June 7, 2023 2:03 pm, Alexandre Derumier wrote:
> add vnet/localbridge permissions management
> 
> Hi,
> as we has discuted some weeks ago,
> this patche serie introduce management of acl for vnets && local bridges
> 
> The permission path is:
> 
> /sdn/zones/<zone>/<vnet>
> 
> where the local vmbr are in a virtual "localnetwork" zone
> 
> /sdn/zones/localnetwork/<vnet>
> 
> Vlans permissions  are also handled with
> /sdn/zones/<zone>/<vnet>/<tag>
> 
> if user have permissions on the vnet/tag, he have access to only the specific vlan.
> if user have permissions on the vnet with propagate, he have access to all vlans of the vnet
> if user have permissions on the vnet without propagate, he have access to bridge only without any vlan
> 
> 
> I have reworked the sdn zone panel from the tree, to manage permissions
> on displayed vnets. (patch 3 && 4 pve-manager)
> 
> some screenshots:
> 
> https://mutulin1.odiso.net/sdnzone-perm.png
> https://mutulin1.odiso.net/localzone-perm.png
> 
> 
> 
> changelog v2:
>  - use /vnets/vlan instead /vnets.vlan
>  - rework the bridge filtering when user have access only to a specific vlan
>  - api2 network: always check bridge access if no filter is defined
> 
> changelog v3:
>  - use /sdn/zones/<zone>/vnets/vlan instead /sdn/vnets/vnets.vlan
>  - add SDN.Use permission
>  - pve-manager: split ui code (could be applied later)
>  - remove check on zone (it's now propagate with new path)
>  - move check_vnet_access to pve-guest-common for lxc reuse
>  - pve-network: fix vnet/tag perm check
> 
> changelog v4:
>  - qemu-server: check permissions on backup restore
>  - guest-common: check trunks permissions
> 
> todo:
>  - implement lxc check permissions
> 
> 
> 
> pve-access-control:
> 
> Alexandre Derumier (3):
>   access control: add /sdn/zones/<zone>/<vnet>/<vlan> path
>   rpcenvironnment: add check_sdn_bridge
>   add new SDN.use privilege in PVESDNUser role
> 
>  src/PVE/AccessControl.pm  |  6 +++++-
>  src/PVE/RPCEnvironment.pm | 18 ++++++++++++++++++
>  2 files changed, 23 insertions(+), 1 deletion(-)
> 
> pve-manager:
> 
> Alexandre Derumier (4):
>   api2: network: check permissions for local bridges
>   api2: cluster: ressources: add "localnetwork" zone
>   ui: add vnet permissions panel
>   ui: add permissions management for "localnetwork" zone
> 
>  PVE/API2/Cluster.pm                  |  14 ++
>  PVE/API2/Network.pm                  |  25 ++-
>  www/manager6/Makefile                |   2 +
>  www/manager6/sdn/Browser.js          |  17 +-
>  www/manager6/sdn/VnetACLView.js      | 289 +++++++++++++++++++++++++++
>  www/manager6/sdn/ZoneContentPanel.js |  41 ++++
>  www/manager6/sdn/ZoneContentView.js  |  52 ++++-
>  7 files changed, 411 insertions(+), 29 deletions(-)
>  create mode 100644 www/manager6/sdn/VnetACLView.js
>  create mode 100644 www/manager6/sdn/ZoneContentPanel.js
> 
> pve-guest-common:
> 
> Alexandre Derumier (1):
>   helpers : add check_vnet_access
> 
>  src/PVE/GuestHelpers.pm | 49 +++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 49 insertions(+)
> 
> qemu-server:
> 
> Alexandre Derumier (1):
>   api2: add check_bridge_access for create/update/clone/restore vm
> 
>  PVE/API2/Qemu.pm | 33 +++++++++++++++++++++++++++++----
>  1 file changed, 29 insertions(+), 4 deletions(-)
> 
> 
> pve-network:
> 
> Alexandre Derumier (1):
>   get_local_vnets: fix permission path && perm
> 
>  PVE/Network/SDN.pm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
>

More information about the pve-devel mailing list