[pve-devel] [PATCH pve-access-control v4 1/1] permissions: add ACL paths for SDN fabrics

[Gabriel Goller]

From: Stefan Hanreich <s.hanreich at proxmox.com>

Add permission path /sdn/fabrics/{fabric_id}. There are currently only
SDN-specific permissions for the fabric itself, not the nodes. For
displaying / editing the nodes, the existing permissions Sys.Audit or
Sys.Modify on /nodes/{node} are required, because they are already
used for viewing / editing the network configuration of a node.

The node settings mostly revolve around configuring IPs and network
interfaces on that node, so we decided to stick with the permission
that is already governing that, since it would need to be checked when
editing a node anyway. Otherwise, users with access to a fabric node
could change parts of the network configuration of arbitrary
interfaces that node, circumventing the current permission checks. A
separate, SDN-specific, permission would not add much benefit because
of that.

Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
---
 src/PVE/AccessControl.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 7cd912954c9a..cebb76f765ad 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -1285,6 +1285,8 @@ sub check_path {
 	|/sdn/controllers/[[:alnum:]\_\-]+
 	|/sdn/dns
 	|/sdn/dns/[[:alnum:]]+
+	|/sdn/fabrics
+	|/sdn/fabrics/[[:alnum:]]+
 	|/sdn/ipams
 	|/sdn/ipams/[[:alnum:]]+
 	|/sdn/zones
-- 
2.39.5