Am 16/11/2022 um 10:04 schrieb Dominik Csapak: > On 11/16/22 09:54, Thomas Lamprecht wrote: >> Am 16/11/2022 um 09:47 schrieb Dominik Csapak: >>>> I am not sure the second sentence is necessary, or rather, wouldn't it be >>>> better >>>> to make the two lists mutually exclusive? e.g., by removing privileged >>>> tags from >>>> the other list? >>> >>> i don't really want to auto remove stuff from one option when set on >>> another. >>> maybe it'd make more sense if we don't allow setting and admin tag when >>> it's already set in the 'user-allow-list' and vice versa? then >>> there cannot be a situation where a tag is in both lists at the same time? >>> >> >> >> Limits use cases, as we'll only ever allow priv'd tags to be used for things >> like backup job guest-source selection, and there may be scenarios where an >> admin wants to allow the user to set a specific privileged tags in the VMs >> they control. >> >> To make that work we'd: >> - explicitly allow such listed tags for "normal" VM users even if they're in >> the >> privileged-tags (that's why I used the term "registered" in previous >> comments, >> might be better suited if we deem that privileged is then confusing) >> >> - highlight the fact if a tag is in both >> > > ok, then i have to change the permission checking code (currently i forbid > 'normal' users the tag if it was in the 'privileged-tags' section, regardless > if it was in the 'user-allow-list' or not)
maybe wait on Fabian's opinion on that, I don't want to push this to strongly but can imagine that it might be sensible and useful, and hard to change later. > > how would you highlight that? a warning on the cli/syslog/etc. is not > visible, but on the ui we don't really have an obvious place to do so > > i could try to add a seperate 'warning' row in the object grid when > that happens, not sure if that's what you meant though > Syslog is never the place for such things, needs to happen on edit, and for now there's no CLI so GUI is the only place we need to care about (edit cfgs manually -> be on your own). So a bottom section that shows a hints about the tags that are in both lists, the hint would then be located in the edit windows for registered and allowed-list of tags, so it doesn't necessarily needs to be inline (i.e., some highlight in the existing tag edit). _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
