SDN group/pool permissions

h3po

Member
Aug 3, 2021
8
0
6
Gelsenkirchen
I'm trying out the experimental SDN feature and am confused on how to assign permissions to use a zone or vlan vnet to a group, or how to add it as a resource to a pool. The documentation states "It’s also possible to add permissions on a zone, to restrict user to use only a specific zone and only the VNets in that zone". I can't figure out how to restrict the usage to a specific zone; I can give SDN.Audit to a user and in combination with VM.Config.Network they can then use any of the zones.
Can someone enlighten me? @spirit maybe?
 
Hi,

currently pool permission is not yet implemented.
but It's possible to give permission in a zone to a user or a group.

just click on the left tree on the zone, then permissions. (this is exactly like storage permissions).

It seem that I forgot to add permission for a specific vnet (it should be possible to do it at datacenter level, with a path like /sdn/vnets/....), I'll try to fix that that.
 
I don't see what you mean by "left tree on the zone" or a permission button in SDN->Zones
if i were to do it via the config, which path would it be? I tried some like /zone/zone68 without success
1627999319242.png
 
Last edited:
I don't see what you mean by "left tree on the zone" or a permission button in SDN->Zones
if i were to do it via the config, which path would it be? I tried some like /zone/zone68 without success
View attachment 28343
I mean, in the left left tree ;) when all the vms,local storage,... are displayed.

The zone should be display too if the sdn config has been applied.
 

Attachments

  • Capture-20210803162134-1912x707.png
    Capture-20210803162134-1912x707.png
    102.8 KB · Views: 68
Huh.. ok sorry, I've never used that tree. I assign my storage permissions by assigning a role to a path like /storage/local-zfs. So what I was looking for is a path like /sdn in the global permission dialog dropdown.
Thanks for the quick reply.
 
Last edited:
Huh.. ok sorry, I've never used that tree. I assign my storage permissions by assigning a role to a path like /storage/local-zfs. So what I was looking for is a path like /sdn in the global permission dialog dropdown.
It's possible to do it in global permission too, but I didn't notice that dropdown don't displayed it. I'll try to fix that, thanks;
 
Now what I'm missing is a way to prevent direct use of vmbr0 by users that have the PVEVMAdmin role.
Yes, I don't known yet how to add permissions on vmbr0 to not be able to use it.
Maybe a special permission on / path like "SDN.novmbr".

(an hacky way could be to use another name than "vmbr*" for the bridge).
 
Thanks, renaming the bridge is a useable workaround for now.
Another suggestion: When creating a VLAN zone, make the bridge selection into a dropdown. It won't work while the bridge is renamed (because the adapter type is then not recognized as "bridge") but in the standard case this would help when creating a zone
 
@h3po I just send patches to the pve-devel mailing list:

- add zones list to the main datacenter permissions management combo
- add support to add permissions on specific vnets path "/sdn/vnets/xxx"
- remove vmbrX from dropdown if user have permission on 1vnet at minimum.
 
  • Like
Reactions: h3po
Thank you for working on this. Sadly I can't help with 0 perl and js experience.
Just reading "remove vmbrX from dropdown if user have permission on 1vnet at minimum" sounds to me like it might cause problems for users that have the PVEAdmin role and therefore always have access to a vnet if one exists. A cleaner way would be to create a permission path like /bridge/vmbr0 that one can set NoAccess on for non-privileged users.
 
Thank you for working on this. Sadly I can't help with 0 perl and js experience.
Just reading "remove vmbrX from dropdown if user have permission on 1vnet at minimum" sounds to me like it might cause problems for users that have the PVEAdmin role and therefore always have access to a vnet if one exists. A cleaner way would be to create a permission path like /bridge/vmbr0 that one can set NoAccess on for non-privileged users.
The main problem, is that "NoAccess" is a role, not a permission. (It's a role without any permissions).
But in the code, we allowing access if permission exist, not the reverse way.

but maybe I could improve this like : if user have a permission on 1vnet minimum, it'll require permissions on /bridge/vmbrX too for displaying it.

or another way, if user avec SDN.allocate permission, I don't filter bridges.

I need to talk with proxmox devs about this.
 
Last edited:
Sorry for lifting the old chain up. I am currently building an environment where there is a need for SDN permission structure. What is the development work status on this?
 
Just a quick additional question, is SDN permission structure "fully" added to 6.x version also. I can only add permission to zone -level which exposes all the vnets to client user/group.

@spirit good work :)
 
Just a quick additional question, is SDN permission structure "fully" added to 6.x version also. I can only add permission to zone -level which exposes all the vnets to client user/group.

@spirit good work :)
Hi, sdn for proxmox 6.X will not updated anymore. (but technically, current pve-network package from 7.X still works with 6.X).

Last 7.X versions allow to do permissions on vnet directly (directly in datacenter->permissions with path: /sdn/vnets/xxxx).

but It still missing the patch on pve-manager package to filter them in the nic gui.
 
Thank you for sharing. Having a small dilemma with 7.x version. Because the rest of the service does not yet support version 7.x (foreman fog). Probably, need to throw the developer's shoes back on and contribute necessary changes.
 
Hi @spirit, sorry for bringing this thread back up, however, it's most relevant to what we are trying to do.

We're currently using version 7.1-10 and have the use case where we need to hide the vmbr bridges from normal users to prevent them circumventing network security that is applied through SDN vNets.

Is the patch or alternative means to restrict access to them still in the pipeline? If so, do you have a rough idea when that feature may come available to us?
 
  • Like
Reactions: rengiared
I have sent patch to pve-devel mailing some months ago, they are still not applied :(

https://lists.proxmox.com/pipermail/pve-devel/2021-October/050211.html

Maybe ask to pve-devel mailing ? (I known that proxmox devs are a bit busy).
I have also some other pending patches for sdn gui, so it could be great to have some users request them for inclusion ;)
 
I have sent patch to pve-devel mailing some months ago, they are still not applied :(

https://lists.proxmox.com/pipermail/pve-devel/2021-October/050211.html

Maybe ask to pve-devel mailing ? (I known that proxmox devs are a bit busy).
I have also some other pending patches for sdn gui, so it could be great to have some users request them for inclusion ;)
Thanks @spirit for the reply. I have emailed the pve-devel list and referenced this thread and the use case for the vmbr permissions and SDN improvements to be applied.

My email is pending moderation so hopefully it will be accepted and we hear something back.