[pve-devel] [PATCH access-control 1/2] acl: allow more nesting for /mapping acl paths

Thomas Lamprecht t.lamprecht at proxmox.com
Mon Nov 13 16:41:53 CET 2023

Am 10/11/2023 um 09:47 schrieb Lukas Wagner:
> I don't have any strong preference for any form, I just think
> that some consistency with the API would be nice - and changing
> the API routes would be much more work ;)

hehe OK, as said, it doesn't matters that much so I'm fine with whatever
you prefer here.

> And regarding the granularity: Yes, maybe that's a bit overkill now. The 
> per-target permissions were kind of important with the 'old' system 
> where we would select a target at the notification call site (e.g. a 
> backup job), but with the new 'pub-sub'-alike system it probably does 
> not matter that much any more. But I don't really have any strong 
> preference here as well.

FWIW, we can extend the system with the next major release, but it's
almost impossible to shrink it again without causing a bigger fall out
(if it's used at all that is), so just from that starting out with a
smaller scope would be better. But here we would need to reduce the
scope quite a bit, i.e., having just /mappings/notifications left, as
otherwise there's no good way to (potentially) extent that in the future -
which (while better than root-only via configuring postfix now)
is definitively limited.

So yeah, whatever we do, this is something that can only be judged well
in retro-perspective through user feedback, just go with your gut-feeling
I guess.

More information about the pve-devel mailing list