[pve-devel] [PATCH access-control 1/2] allow up to three levels of pool nesting

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Nov 17 16:31:10 CET 2023


> Wolfgang Bumiller <w.bumiller at proxmox.com> hat am 17.11.2023 11:00 CET geschrieben:
> 
>  
> On Thu, Nov 16, 2023 at 04:31:25PM +0100, Fabian Grünbichler wrote:
> > with ACLs being inherited along the pool hierarchy.
> > 
> > Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> > ---
> >  src/PVE/AccessControl.pm | 10 ++++++++--
> >  src/test/perm-test6.pl   | 16 ++++++++++++++++
> >  src/test/test6.cfg       |  5 +++++
> >  3 files changed, 29 insertions(+), 2 deletions(-)
> > 
> > diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
> > index 9600e59..d9ae611 100644
> > --- a/src/PVE/AccessControl.pm
> > +++ b/src/PVE/AccessControl.pm
> > @@ -1264,7 +1264,7 @@ sub check_path {
> >  	|/nodes
> >  	|/nodes/[[:alnum:]\.\-\_]+
> >  	|/pool
> > -	|/pool/[[:alnum:]\.\-\_]+
> > +	|/pool/(:?[[:alnum:]\.\-\_]+\/?)+
> 
> Should we incorporate the 3 level limit here?
>     eg. [chars]+(?:/[chars]+){0,2}
> Although regex would differ from the one used below (although it could
> use the same with only the `{0,2}` bit removed...).

well, there is no harm in accepting a sub-ACL path that has no effect. we usually have the opposite issue (forgetting to add/extending the entries here), but I also don't mind adding it here and a reminder comment below where the limit is enforced for the config/parameter values.
 
> >  	|/sdn
> >  	|/sdn/controllers
> >  	|/sdn/controllers/[[:alnum:]\_\-]+





More information about the pve-devel mailing list