Hi Fabian Le mercredi 27 avril 2022 à 13:36 +0200, Fabian Grünbichler a écrit : > commit 052fbb2a4d1bdeb490b2e3b67cd7555e460ebe93 introduced permission > > checks here that caused all regular bridges to be removed from the > > returned list as soon as the SDN package is installed, unless the > > user > > is root@pam or there exists a VNET with the same ID. > > mmm, this is unexpected. with my original patch :
if user don't have any permissions on vnets: - all vmbrX bridges are displayed - no vnets is displayed if user have a permission on at least 1vnet: - vmbrX bridge are no more displayed (untie you add a specific permissions with /sdn/vnets/vmbrX) - only vnet with permissions are displayed I didn' see, but Thomas have reworked it: https://git.proxmox.com/?p=pve-manager.git;a=commit;h=640c0b26891c408d0456c355b3724c1be18cc75f and the behaviour seem to be different: if user don't have any permissions on vnets: - no vmbrX displayed ----> different behaviour - no vnets is displayed if user have a permission on at least 1vnet: - vmbrX bridge are no more displayed (untile you add a specific permissions with /sdn/vnets/vmbrX) - only vnet with permissions are displayed with your patch, it seem to be different too: if user don't have any permissions on vnets: - vmbrX displayed - no vnets is displayed if user have a permission on at least 1vnet: - vmbrX brige are still displayed ----> different behaviour - only vnet with permissions are displayed > this is arguably a breaking change, so limit the priv check to > actually > > defined VNETs for the time being, and add ALL regular bridges > > uncondtionally like before. > > > get_local_vnets already filters by the same prvs, so we need to get > the > > full config to find out which IDs are VNETs and which are not. > > > once/iff we introduce ACL paths for all bridges in the future, we can > > limit accordingly here. > > > CC: Alexandre Derumier <aderum...@odiso.com> > > Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com> > > --- > > PVE/API2/Network.pm | 3 +++ > > 1 file changed, 3 insertions(+) > > > diff --git a/PVE/API2/Network.pm b/PVE/API2/Network.pm > > index 214ab50a..a43579fa 100644 > > --- a/PVE/API2/Network.pm > > +++ b/PVE/API2/Network.pm > > @@ -240,13 +240,16 @@ PACKAGE->register_method({ > > > > if (my $tfilter = $param->{type}) { > > my $vnets; > > + my $vnet_cfg; > > my $can_access_vnet = sub { # only matters for the > > $have_sdn case, checked implict > > return 1 if $authuser eq 'root@pam' || > > !defined($vnets); > > + return 1 if > > !defined(PVE::Network::SDN::Vnets::sdn_vnets_config($vnet_cfg, > > $[0], 1)); # not a vnet > > $rpcenv->check_any($authuser, "/sdn/vnets/$[0]", > > ['SDN.Audit', 'SDN.Allocate'], 1) > > }; > > > > if ($have_sdn && $param->{type} eq 'any_bridge') { > > $vnets = PVE::Network::SDN::get_local_vnets(); # > > returns already access-filtered > > + $vnet_cfg = PVE::Network::SDN::Vnets::config(); > > } > > > > for my $k (sort keys $ifaces->%*) { _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
