[pve-devel] [PATCH access-control 1/2] allow up to three levels of pool nesting
Fabian Grünbichler
f.gruenbichler at proxmox.com
Fri Nov 17 16:31:10 CET 2023
> Wolfgang Bumiller <w.bumiller at proxmox.com> hat am 17.11.2023 11:00 CET geschrieben:
>
>
> On Thu, Nov 16, 2023 at 04:31:25PM +0100, Fabian Grünbichler wrote:
> > with ACLs being inherited along the pool hierarchy.
> >
> > Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> > ---
> > src/PVE/AccessControl.pm | 10 ++++++++--
> > src/test/perm-test6.pl | 16 ++++++++++++++++
> > src/test/test6.cfg | 5 +++++
> > 3 files changed, 29 insertions(+), 2 deletions(-)
> >
> > diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
> > index 9600e59..d9ae611 100644
> > --- a/src/PVE/AccessControl.pm
> > +++ b/src/PVE/AccessControl.pm
> > @@ -1264,7 +1264,7 @@ sub check_path {
> > |/nodes
> > |/nodes/[[:alnum:]\.\-\_]+
> > |/pool
> > - |/pool/[[:alnum:]\.\-\_]+
> > + |/pool/(:?[[:alnum:]\.\-\_]+\/?)+
>
> Should we incorporate the 3 level limit here?
> eg. [chars]+(?:/[chars]+){0,2}
> Although regex would differ from the one used below (although it could
> use the same with only the `{0,2}` bit removed...).
well, there is no harm in accepting a sub-ACL path that has no effect. we usually have the opposite issue (forgetting to add/extending the entries here), but I also don't mind adding it here and a reminder comment below where the limit is enforced for the config/parameter values.
> > |/sdn
> > |/sdn/controllers
> > |/sdn/controllers/[[:alnum:]\_\-]+
More information about the pve-devel
mailing list