Re: [pve-devel] [PATCH pve-manager 2/2] api2 : network: anybridge: don't display bridges if user have access to vnets.

Sat, 07 Aug 2021 09:00:34 -0700 

Hi,
abou this patch, I'm not sure it's the right way, a forum user request
that also sdnadmin can view vmbrX.

I don't known how to hide correctly vmbrX bridge, as currently , we
don't have any permissions management,
and I don't want to break current users setup.

maybe could we add a special permission like "noaccess" with path like
/bridge/vmbrX  ?
(we currently have a role "noaccess", but it's simply a role without
any permission.


Le jeudi 05 août 2021 à 16:59 +0200, Alexandre Derumier a écrit :
> This remove vmbr* from bridgeselector if user have access to vnets.
> (as currently, we don't have have permission management on vmbr$)
> 
> Signed-off-by: Alexandre Derumier <aderum...@odiso.com>
> ---
>  PVE/API2/Network.pm | 19 ++++++++++++-------
>  1 file changed, 12 insertions(+), 7 deletions(-)
> 
> diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm
> index a26f36d2..02bd3bdb 100644
> --- a/PVE/API2/Network.pm
> +++ b/PVE/API2/Network.pm
> @@ -226,6 +226,7 @@ __PACKAGE__->register_method({
>         my ($param) = @_;
>  
>         my $rpcenv = PVE::RPCEnvironment::get();
> +       my $authuser = $rpcenv->get_user();
>  
>         my $tmp = PVE::INotify::read_file('interfaces', 1);
>         my $config = $tmp->{data};
> @@ -238,20 +239,24 @@ __PACKAGE__->register_method({
>         delete $ifaces->{lo}; # do not list the loopback device
>  
>         if ($param->{type}) {
> +           my $vnets = {};
> +           my $filtered_sdn = undef;
> +           if ($have_sdn && $param->{type} eq 'any_bridge') {
> +               $vnets = PVE::Network::SDN::get_local_vnets();
> +               $filtered_sdn = 1 if $authuser ne 'root@pam' && keys
> %{$vnets} > 0;
> +           }
> +
>             foreach my $k (keys %$ifaces) {
>                 my $type = $ifaces->{$k}->{type};
>                 my $match =  ($param->{type} eq $type) || (
>                     ($param->{type} eq 'any_bridge') && 
>                     ($type eq 'bridge' || $type eq 'OVSBridge'));
> -               delete $ifaces->{$k} if !$match;
> +               delete $ifaces->{$k} if !$match || $filtered_sdn;
>             }
>  
> -           if ($have_sdn && $param->{type} eq 'any_bridge') {
> -               my $vnets = PVE::Network::SDN::get_local_vnets();
> -               map {
> -                   $ifaces->{$_} = $vnets->{$_};
> -               } keys %$vnets;
> -           }
> +           map {
> +               $ifaces->{$_} = $vnets->{$_};
> +           } keys %$vnets;
>         }
>  
>         return PVE::RESTHandler::hash_to_array($ifaces, 'iface');

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to