On June 6, 2023 7:32 am, DERUMIER, Alexandre wrote: > Le lundi 05 juin 2023 à 12:13 +0200, Fabian Grünbichler a écrit : >> On June 5, 2023 1:37 am, Alexandre Derumier wrote: >> > add vnet/localbridge permissions management >> > >> > Hi, >> > as we has discuted some weeks ago, >> > this patche serie introduce management of acl for vnets && local >> > bridges >> > >> > I have reuse current sdn permissions path, to have common paths >> > >> > /sdn/vnets/<zone>/<vnet> >> > >> > where the local vmbr are in a virtual "localnetwork" zone >> > >> > /sdn/vnets/local/<vnet> >> > >> > Vlans permissions are also handled with >> > /sdn/vnets/<zone>/<vnet>/<tag> >> >> these paths don't match the patches ;) >> >> if the paths were like this, then we could go one step further and >> admins could set propagate on the zone to hand out access to the full >> zone, including all vnets *and* vlan tags, and we could just check >> the >> vnet (or vnet+tag), and the zone would be implicitly checked as well >> (by >> virtue of traversing the ACL path). >> >> we'd need to check for consistency of zone+vnet when checking ACLs >> though, which is not required right now. > oh yes, I think it was my first try. > > currently the vnets id are unique (and possibly (at least in sdn) user > could move the vnet between zones. (not implemented, but technically, > it'll work, and ifreload is able to online replug the vnet with vm > guest running). > > I don't think it something that user want to do regulary, so maybe it's > not a problem to use /zone/vnet/tag and It's more secure if users need > to recheck the acl.
I just wanted to mention it since it caught my eye, treating zones and vnets as independent also makes sense, it should just be consistent :) there are pros and cons for both approaches: - pro for current approach: -- vnets can be moved/converted between zones, ACLs stay valid -- no extra checks needed - pro for zone/vnet/.. approach: -- propagation from zone to vnet is possible without manually doing it at the check site -- binding between zone and vnet is enforced at the ACL level _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
