Assigning permission to a zone via CLI

[Axl_fzetafs]

Hi,

I've been going in a circle for an hour now in order to understand how to assign a zones/vnet to an user through CLI.
Could anybody be so kind to tell if it is possible and how to do it?

Alex

 

[fabian]

you can give "SDN.Audit" or "SDN.Allocate" on the ACL path "/sdn/vnets/XXXX", but coverage is currently not yet complete so please treat it as mostly cosmetic for the time being. it filters the list of vnets returned when listing network interfaces, but it's not actually checked when assigning a guest NIC, where VM.Config.Network allows choosing any real bridge or VNET as bridge when configuring via the API.

work to make vnets (and regular bridges) proper entities in the ACL scheme that are checked all around, like storages are, is still ongoing (SDN is still marked as a preview/experimental feature for a reason!).

 

[Axl_fzetafs]

Thanks @fabian for your reply. For the moment I would like to know how to do through PVESH what is possible to be done in the GUI.
We would like to give our students the possiblity to create their own plan of 802.1q VLANs, as they had the possibility to build a network from scratch. Hence when 50 new students come in, I'd rather automate all the stuff
I apologize if actually you answered my question and I haven't got it.

Alex

 

[fabian]

yeah, the ACL paths are /sdn/TYPEs/TYPE_INSTANCE , e.g. if you have a controller named foobar then the corresponding ACL path is /sdn/controllers/foobar . the TYPE can be controller, ipam, dns, zone or vnet, with vnets having another layer below (e.g., /sdn/vnets/myvnet/subnets/mysubnet). for all of these paths you can define SDN.Audit (see the SDN config) or SDN.Allocate (change it). but any user will be able to use any SDN part if they manually call the API to modify a guest config, they are only cosmetically filtered in the GUI at the moment when configuring guests.