[pve-devel] [PATCH access-control 1/2] PVE/AccessControl: add Hardware.* privileges and /hardware/ paths

[Dominik Csapak]

so that we can assign privileges on hardware level

this will generate a new role (PVEHardwareAdmin)

Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
---
 src/PVE/API2/AccessControl.pm |  3 ++-
 src/PVE/AccessControl.pm      | 13 +++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index a77694b..b28ce2c 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -178,10 +178,11 @@ my $compute_api_permission = sub {
        nodes => qr/Sys\.|Permissions\.Modify/,
        sdn => qr/SDN\.|Permissions\.Modify/,
        dc => qr/Sys\.Audit|SDN\./,
+       hardware => qr/HW\./,
     };
     map { $res->{$_} = {} } keys %$priv_re_map;
 
-    my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', 
'/sdn'];
+    my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', 
'/sdn', '/hardware'];
 
     my $checked_paths = {};
     foreach my $path (@$required_paths, keys %{$usercfg->{acl}}) {
diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm
index 2569a35..334b6bd 100644
--- a/src/PVE/AccessControl.pm
+++ b/src/PVE/AccessControl.pm
@@ -822,6 +822,17 @@ my $privgroups = {
            'Pool.Audit',
        ],
     },
+    Hardware => {
+       root => [
+           'Hardware.Configure', # create/edit mappings
+       ],
+       admin => [
+           'Hardware.Use',
+       ],
+       audit => [
+           'Hardware.Audit',
+       ],
+    },
 };
 
 my $valid_privs = {};
@@ -948,6 +959,8 @@ sub check_path {
        |/storage/[[:alnum:]\.\-\_]+
        |/vms
        |/vms/[1-9][0-9]{2,}
+       |/hardware
+       |/hardware/[[:alnum:]\.\-\_]+
     )$!xs;
 }
 
-- 
2.20.1



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel