Am 05/06/2023 um 01:37 schrieb Alexandre Derumier:
> test first if user have access to the full zone (any bridge/vlan)
> if a tag is defined, test if user have a specific access to the vlan (or
> propagate from full bridge acl)
> if no tag, test if user have access to full bridge. (if trunks are defined,
> it need also access to full bridge)
>
> Signed-off-by: Alexandre Derumier <aderum...@odiso.com>
> ---
> PVE/API2/Qemu.pm | 38 +++++++++++++++++++++++++++++++++++++-
> 1 file changed, 37 insertions(+), 1 deletion(-)
>
> diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
> index 587bb22..4de7b32 100644
> --- a/PVE/API2/Qemu.pm
> +++ b/PVE/API2/Qemu.pm
> @@ -46,6 +46,12 @@ use PVE::SSHInfo;
> use PVE::Replication;
> use PVE::StorageTunnel;
>
> +my $have_sdn;
> +eval {
> + require PVE::Network::SDN;
> + $have_sdn = 1;
> +};
> +
> BEGIN {
> if (!$ENV{PVE_GENERATING_DOCS}) {
> require PVE::HA::Env::PVE2;
> @@ -601,6 +607,34 @@ my $check_vm_create_usb_perm = sub {
> return 1;
> };
>
> +my $check_bridge_access = sub {
> + my ($rpcenv, $authuser, $param) = @_;
> +
> + return 1 if $authuser eq 'root@pam';
> +
> + foreach my $opt (keys %{$param}) {
> + next if $opt !~ m/^net\d+$/;
> + my $net = PVE::QemuServer::parse_net($param->{$opt});
> + my $bridge = $net->{bridge};
> + my $tag = $net->{tag};
should below move to a method in pve-guest-common, taking $bridge (or name it
already $vnet) and $tag
as additional parameter, and then be also used by container?
> + my $zone = 'local';
> +
> + if ($have_sdn) {
> + my $vnet_cfg = PVE::Network::SDN::Vnets::config();
> + if (defined(my $vnet =
> PVE::Network::SDN::Vnets::sdn_vnets_config($vnet_cfg, $bridge, 1))) {
> + $zone = $vnet->{zone};
> + }
> + }
> + # test first if user have access to the full zone (any bridge/vlan)
> + return 1 if $rpcenv->check_any($authuser, "/sdn/zones/$zone",
> ['SDN.Audit', 'SDN.Allocate'], 1);
> + # if a tag is defined, test if user have a specific access to the vlan
> (or propagate from full bridge acl)
> + return 1 if $tag && $rpcenv->check_any($authuser,
> "/sdn/vnets/$bridge/$tag", ['SDN.Audit', 'SDN.Allocate'], 1);
> + # if no tag, test if user have access to full bridge. (if trunks are
> defined, it need also access to full bridge)
> + $rpcenv->check_any($authuser, "/sdn/vnets/$bridge", ['SDN.Audit',
> 'SDN.Allocate']);
> + }
> + return 1;
> +};
> +
> my $check_vm_modify_config_perm = sub {
> my ($rpcenv, $authuser, $vmid, $pool, $key_list) = @_;
>
> @@ -878,7 +912,7 @@ __PACKAGE__->register_method({
>
> &$check_vm_create_serial_perm($rpcenv, $authuser, $vmid, $pool,
> $param);
> &$check_vm_create_usb_perm($rpcenv, $authuser, $vmid, $pool,
> $param);
> -
> + &$check_bridge_access($rpcenv, $authuser, $param);
> &$check_cpu_model_access($rpcenv, $authuser, $param);
>
> $check_drive_param->($param, $storecfg);
> @@ -1578,6 +1612,8 @@ my $update_vm_api = sub {
>
> &$check_storage_access($rpcenv, $authuser, $storecfg, $vmid, $param);
>
> + &$check_bridge_access($rpcenv, $authuser, $param);
> +
> my $updatefn = sub {
>
> my $conf = PVE::QemuConfig->load_config($vmid);
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
