Merge pull request #2280 from GNS3/resource-pools

Resource pools support
9 months ago · e1c5c05492
parent 1f90bb14b6 7534718a1c
commit e1c5c05492
13 changed files with 946 additions and 25 deletions
--- a/gns3server/api/routes/controller/init.py
+++ b/gns3server/api/routes/controller/init.py
@ -32,6 +32,7 @@ from . import users
 from . import groups
 from . import roles
 from . import acl
+from . import pools
 from . import privileges

 from .dependencies.authentication import get_current_active_user
@ -131,6 +132,12 @@ router.include_router(
    tags=["Appliances"]
 )

+router.include_router(
+    pools.router,
+    prefix="/pools",
+    tags=["Resource pools"]
+)
+
 router.include_router(
    gns3vm.router,
    dependencies=[Depends(get_current_active_user)],
--- a/gns3server/api/routes/controller/acl.py
+++ b/gns3server/api/routes/controller/acl.py
@ -38,6 +38,7 @@ from gns3server.db.repositories.users import UsersRepository
 from gns3server.db.repositories.rbac import RbacRepository
 from gns3server.db.repositories.images import ImagesRepository
 from gns3server.db.repositories.templates import TemplatesRepository
+from gns3server.db.repositories.pools import ResourcePoolsRepository
 from .dependencies.database import get_repository
 from .dependencies.rbac import has_privilege

@ -57,7 +58,8 @@ async def endpoints(
        users_repo: UsersRepository = Depends(get_repository(UsersRepository)),
        rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)),
        images_repo: ImagesRepository = Depends(get_repository(ImagesRepository)),
-        templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository))
+        templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository)),
+        pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
 ) -> List[dict]:
    """
    List all endpoints to be used in ACL entries.
@ -128,6 +130,11 @@ async def endpoints(
    for template in templates:
        add_to_endpoints(f"/templates/{template.template_id}", f'Template "{template.name}"', "template")

+    # resource pools
+    add_to_endpoints("/pools", "All resource pools", "pool")
+    pools = await pools_repo.get_resource_pools()
+    for pool in pools:
+        add_to_endpoints(f"/pools/{pool.resource_pool_id}", f'Resource pool "{pool.name}"', "pool")
    return endpoints


--- a/gns3server/api/routes/controller/pools.py
+++ b/gns3server/api/routes/controller/pools.py
@ -0,0 +1,228 @@
+#!/usr/bin/env python
+#
+# Copyright (C) 2023 GNS3 Technologies Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+API routes for resource pools.
+"""
+
+from fastapi import APIRouter, Depends, status
+from uuid import UUID
+from typing import List
+
+from gns3server import schemas
+from gns3server.controller.controller_error import (
+    ControllerError,
+    ControllerBadRequestError,
+    ControllerNotFoundError
+)
+
+from gns3server.controller import Controller
+from gns3server.db.repositories.rbac import RbacRepository
+from gns3server.db.repositories.pools import ResourcePoolsRepository
+
+from .dependencies.rbac import has_privilege
+from .dependencies.database import get_repository
+
+import logging
+
+log = logging.getLogger(__name__)
+
+router = APIRouter()
+
+
+@router.get(
+    "",
+    response_model=List[schemas.ResourcePool],
+    dependencies=[Depends(has_privilege("Pool.Audit"))]
+)
+async def get_resource_pools(
+        pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
+) -> List[schemas.ResourcePool]:
+    """
+    Get all resource pools.
+
+    Required privilege: Pool.Audit
+    """
+
+    return await pools_repo.get_resource_pools()
+
+
+@router.post(
+    "",
+    response_model=schemas.ResourcePool,
+    status_code=status.HTTP_201_CREATED,
+    dependencies=[Depends(has_privilege("Pool.Allocate"))]
+)
+async def create_resource_pool(
+        resource_pool_create: schemas.ResourcePoolCreate,
+        pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
+) -> schemas.ResourcePool:
+    """
+    Create a new resource pool
+
+    Required privilege: Pool.Allocate
+    """
+
+    if await pools_repo.get_resource_pool_by_name(resource_pool_create.name):
+       raise ControllerBadRequestError(f"Resource pool '{resource_pool_create.name}' already exists")
+
+    return await pools_repo.create_resource_pool(resource_pool_create)
+
+
+@router.get(
+    "/{resource_pool_id}",
+    response_model=schemas.ResourcePool,
+    dependencies=[Depends(has_privilege("Pool.Audit"))]
+)
+async def get_resource_pool(
+        resource_pool_id: UUID,
+        pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
+) -> schemas.ResourcePool:
+    """
+    Get a resource pool.
+
+    Required privilege: Pool.Audit
+    """
+
+    resource_pool = await pools_repo.get_resource_pool(resource_pool_id)
+    if not resource_pool:
+        raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")
+    return resource_pool
+
+
+@router.put(
+    "/{resource_pool_id}",
+    response_model=schemas.ResourcePool,
+    dependencies=[Depends(has_privilege("Pool.Modify"))]
+)
+async def update_resource_pool(
+        resource_pool_id: UUID,
+        resource_pool_update: schemas.ResourcePoolUpdate,
+        pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
+) -> schemas.ResourcePool:
+    """
+    Update a resource pool.
+
+    Required privilege: Pool.Modify
+    """
+
+    resource_pool = await pools_repo.get_resource_pool(resource_pool_id)
+    if not resource_pool:
+        raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")
+
+    return await pools_repo.update_resource_pool(resource_pool_id, resource_pool_update)
+
+
+@router.delete(
+    "/{resource_pool_id}",
+    status_code=status.HTTP_204_NO_CONTENT,
+    dependencies=[Depends(has_privilege("Pool.Allocate"))]
+)
+async def delete_resource_pool(
+        resource_pool_id: UUID,
+        pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)),
+        rbac_repo: RbacRepository = Depends(get_repository(RbacRepository))
+) -> None:
+    """
+    Delete a resource pool.
+
+    Required privilege: Pool.Allocate
+    """
+
+    resource_pool = await pools_repo.get_resource_pool(resource_pool_id)
+    if not resource_pool:
+        raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")
+
+    success = await pools_repo.delete_resource_pool(resource_pool_id)
+    if not success:
+        raise ControllerError(f"Resource pool '{resource_pool_id}' could not be deleted")
+    await rbac_repo.delete_all_ace_starting_with_path(f"/pools/{resource_pool_id}")
+
+
+@router.get(
+    "/{resource_pool_id}/resources",
+    response_model=List[schemas.Resource],
+    dependencies=[Depends(has_privilege("Pool.Audit"))]
+)
+async def get_pool_resources(
+        resource_pool_id: UUID,
+        pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)),
+) -> List[schemas.Resource]:
+    """
+    Get all resource in a pool.
+
+    Required privilege: Pool.Audit
+    """
+
+    return await pools_repo.get_pool_resources(resource_pool_id)
+
+
+@router.put(
+    "/{resource_pool_id}/resources/{resource_id}",
+    status_code=status.HTTP_204_NO_CONTENT,
+    dependencies=[Depends(has_privilege("Pool.Modify"))]
+)
+async def add_resource_to_pool(
+        resource_pool_id: UUID,
+        resource_id: UUID,
+        pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)),
+) -> None:
+    """
+    Add resource to a resource pool.
+
+    Required privilege: Pool.Modify
+    """
+
+    resource_pool = await pools_repo.get_resource_pool(resource_pool_id)
+    if not resource_pool:
+        raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")
+
+    resources = await pools_repo.get_pool_resources(resource_pool_id)
+    for resource in resources:
+        if resource.resource_id == resource_id:
+            raise ControllerBadRequestError(f"Resource '{resource_id}' is already in '{resource_pool.name}'")
+
+    # we only support projects in resource pools for now
+    project = Controller.instance().get_project(str(resource_id))
+    resource_create = schemas.ResourceCreate(resource_id=resource_id, resource_type="project", name=project.name)
+    resource = await pools_repo.create_resource(resource_create)
+    await pools_repo.add_resource_to_pool(resource_pool_id, resource)
+
+
+@router.delete(
+    "/{resource_pool_id}/resources/{resource_id}",
+    status_code=status.HTTP_204_NO_CONTENT,
+    dependencies=[Depends(has_privilege("Pool.Modify"))]
+)
+async def remove_resource_from_pool(
+    resource_pool_id: UUID,
+    resource_id: UUID,
+    pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)),
+) -> None:
+    """
+    Remove resource from a resource pool.
+
+    Required privilege: Pool.Modify
+    """
+
+    resource = await pools_repo.get_resource(resource_id)
+    if not resource:
+        raise ControllerNotFoundError(f"Resource '{resource_id}' not found")
+
+    resource_pool = await pools_repo.remove_resource_from_pool(resource_pool_id, resource)
+    if not resource_pool:
+        raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")
--- a/gns3server/api/routes/controller/projects.py
+++ b/gns3server/api/routes/controller/projects.py
@ -47,9 +47,11 @@ from gns3server.utils.asyncio import aiozipstream
 from gns3server.utils.path import is_safe_path
 from gns3server.db.repositories.templates import TemplatesRepository
 from gns3server.db.repositories.rbac import RbacRepository
+from gns3server.db.repositories.pools import ResourcePoolsRepository
 from gns3server.services.templates import TemplatesService

 from .dependencies.rbac import has_privilege, has_privilege_on_websocket
+from .dependencies.authentication import get_current_active_user
 from .dependencies.database import get_repository

 responses = {404: {"model": schemas.ErrorMessage, "description": "Could not find project"}}
@ -69,10 +71,13 @@ def dep_project(project_id: UUID) -> Project:
@router.get(
    "",
    response_model=List[schemas.Project],
-    response_model_exclude_unset=True,
-    dependencies=[Depends(has_privilege("Project.Audit"))]
+    response_model_exclude_unset=True
 )
-async def get_projects() -> List[schemas.Project]:
+async def get_projects(
+        current_user: schemas.User = Depends(get_current_active_user),
+        rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)),
+        pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
+) -> List[schemas.Project]:
    """
    Return all projects.

@ -80,7 +85,22 @@ async def get_projects() -> List[schemas.Project]:
    """

    controller = Controller.instance()
-    return [p.asdict() for p in controller.projects.values()]
+    projects = []
+
+    if current_user.is_superadmin:
+        # super admin sees all projects
+        return [p.asdict() for p in controller.projects.values()]
+    elif await rbac_repo.check_user_has_privilege(current_user.user_id, "/projects", "Project.Audit"):
+        # user with Project.Audit privilege on '/projects' sees all projects except those in resource pools
+        project_ids_in_pools = [str(r.resource_id) for r in await pools_repo.get_resources() if r.resource_type == "project"]
+        projects.extend([p.asdict() for p in controller.projects.values() if p.id not in project_ids_in_pools])
+
+    # user with Project.Audit privilege on resource pools sees the projects in these pools
+    user_pool_resources = await rbac_repo.get_user_pool_resources(current_user.user_id, "Project.Audit")
+    project_ids_in_pools = [str(r.resource_id) for r in user_pool_resources if r.resource_type == "project"]
+    projects.extend([p.asdict() for p in controller.projects.values() if p.id in project_ids_in_pools])
+
+    return projects


@router.post(
--- a/gns3server/db/models/init.py
+++ b/gns3server/db/models/init.py
@ -22,7 +22,7 @@ from .roles import Role
 from .privileges import Privilege
 from .computes import Compute
 from .images import Image
-from .resource_pools import Resource, ResourcePool
+from .pools import Resource, ResourcePool
 from .templates import (
    Template,
    CloudTemplate,
--- a/gns3server/db/models/resource_pools.py
+++ b/gns3server/db/models/resource_pools.py
--- a/gns3server/db/models/privileges.py
+++ b/gns3server/db/models/privileges.py
@ -95,6 +95,18 @@ def create_default_roles(target, connection, **kw):
            "description": "Update an ACE",
            "name": "ACE.Modify"
        },
+        {
+            "description": "Create or delete a resource pool",
+            "name": "Pool.Allocate"
+        },
+        {
+            "description": "View a resource pool",
+            "name": "Pool.Audit"
+        },
+        {
+            "description": "Update a resource pool",
+            "name": "Pool.Modify"
+        },
        {
            "description": "Create or delete a template",
            "name": "Template.Allocate"
--- a/gns3server/db/repositories/pools.py
+++ b/gns3server/db/repositories/pools.py
@ -0,0 +1,206 @@
+#!/usr/bin/env python
+#
+# Copyright (C) 2023 GNS3 Technologies Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from uuid import UUID
+from typing import Optional, List, Union
+from sqlalchemy import select, update, delete
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy.orm import selectinload
+
+from .base import BaseRepository
+
+import gns3server.db.models as models
+from gns3server import schemas
+
+import logging
+
+log = logging.getLogger(__name__)
+
+
+class ResourcePoolsRepository(BaseRepository):
+
+    def __init__(self, db_session: AsyncSession) -> None:
+
+        super().__init__(db_session)
+
+    async def get_resource(self, resource_id: UUID) -> Optional[models.Resource]:
+        """
+        Get a resource by its ID.
+        """
+
+        query = select(models.Resource).where(models.Resource.resource_id == resource_id)
+        result = await self._db_session.execute(query)
+        return result.scalars().first()
+
+    async def get_resources(self) -> List[models.Resource]:
+        """
+        Get all resources.
+        """
+
+        query = select(models.Resource)
+        result = await self._db_session.execute(query)
+        return result.scalars().all()
+
+    async def create_resource(self, resource: schemas.ResourceCreate) -> models.Resource:
+        """
+        Create a new resource.
+        """
+
+        db_resource = models.Resource(
+            resource_id=resource.resource_id,
+            resource_type=resource.resource_type,
+            name=resource.name
+        )
+        self._db_session.add(db_resource)
+        await self._db_session.commit()
+        await self._db_session.refresh(db_resource)
+        return db_resource
+
+    async def delete_resource(self, resource_id: UUID) -> bool:
+        """
+        Delete a resource.
+        """
+
+        query = delete(models.Resource).where(models.Resource.resource_id == resource_id)
+        result = await self._db_session.execute(query)
+        await self._db_session.commit()
+        return result.rowcount > 0
+
+    async def get_resource_pool(self, resource_pool_id: UUID) -> Optional[models.ResourcePool]:
+        """
+        Get a resource pool by its ID.
+        """
+
+        query = select(models.ResourcePool).where(models.ResourcePool.resource_pool_id == resource_pool_id)
+        result = await self._db_session.execute(query)
+        return result.scalars().first()
+
+    async def get_resource_pool_by_name(self, name: str) -> Optional[models.ResourcePool]:
+        """
+        Get a resource pool by its name.
+        """
+
+        query = select(models.ResourcePool).where(models.ResourcePool.name == name)
+        result = await self._db_session.execute(query)
+        return result.scalars().first()
+
+    async def get_resource_pools(self) -> List[models.ResourcePool]:
+        """
+        Get all resource pools.
+        """
+
+        query = select(models.ResourcePool)
+        result = await self._db_session.execute(query)
+        return result.scalars().all()
+
+    async def create_resource_pool(self, resource_pool: schemas.ResourcePoolCreate) -> models.ResourcePool:
+        """
+        Create a new resource pool.
+        """
+
+        db_resource_pool = models.ResourcePool(name=resource_pool.name)
+        self._db_session.add(db_resource_pool)
+        await self._db_session.commit()
+        await self._db_session.refresh(db_resource_pool)
+        return db_resource_pool
+
+    async def update_resource_pool(
+            self,
+            resource_pool_id: UUID,
+            resource_pool_update: schemas.ResourcePoolUpdate
+    ) -> Optional[models.ResourcePool]:
+        """
+        Update a resource pool.
+        """
+
+        update_values = resource_pool_update.model_dump(exclude_unset=True)
+        query = update(models.ResourcePool).\
+            where(models.ResourcePool.resource_pool_id == resource_pool_id).\
+            values(update_values)
+
+        await self._db_session.execute(query)
+        await self._db_session.commit()
+        resource_pool_db = await self.get_resource_pool(resource_pool_id)
+        if resource_pool_db:
+            await self._db_session.refresh(resource_pool_db)  # force refresh of updated_at value
+        return resource_pool_db
+
+    async def delete_resource_pool(self, resource_pool_id: UUID) -> bool:
+        """
+        Delete a resource pool.
+        """
+
+        query = delete(models.ResourcePool).where(models.ResourcePool.resource_pool_id == resource_pool_id)
+        result = await self._db_session.execute(query)
+        await self._db_session.commit()
+        return result.rowcount > 0
+
+    async def add_resource_to_pool(
+            self,
+            resource_pool_id: UUID,
+            resource: models.Resource
+    ) -> Union[None, models.ResourcePool]:
+        """
+        Add a resource to a resource pool.
+        """
+
+        query = select(models.ResourcePool).\
+            options(selectinload(models.ResourcePool.resources)).\
+            where(models.ResourcePool.resource_pool_id == resource_pool_id)
+        result = await self._db_session.execute(query)
+        resource_pool_db = result.scalars().first()
+        if not resource_pool_db:
+            return None
+
+        resource_pool_db.resources.append(resource)
+        await self._db_session.commit()
+        await self._db_session.refresh(resource_pool_db)
+        return resource_pool_db
+
+    async def remove_resource_from_pool(
+            self,
+            resource_pool_id: UUID,
+            resource: models.Resource
+    ) -> Union[None, models.ResourcePool]:
+        """
+        Remove a resource from a resource pool.
+        """
+
+        query = select(models.ResourcePool).\
+            options(selectinload(models.ResourcePool.resources)).\
+            where(models.ResourcePool.resource_pool_id == resource_pool_id)
+        result = await self._db_session.execute(query)
+        resource_pool_db = result.scalars().first()
+        if not resource_pool_db:
+            return None
+
+        resource_pool_db.resources.remove(resource)
+        await self._db_session.commit()
+        await self._db_session.refresh(resource_pool_db)
+        return resource_pool_db
+
+    async def get_pool_resources(self, resource_pool_id: UUID) -> List[models.Resource]:
+        """
+        Get all resources from a resource pool.
+        """
+
+        query = select(models.Resource).\
+            join(models.Resource.resource_pools).\
+            filter(models.ResourcePool.resource_pool_id == resource_pool_id)
+
+        result = await self._db_session.execute(query)
+        return result.scalars().all()
--- a/gns3server/db/repositories/rbac.py
+++ b/gns3server/db/repositories/rbac.py
@ -18,7 +18,7 @@
 from uuid import UUID
 from urllib.parse import urlparse
 from typing import Optional, List, Union
-from sqlalchemy import select, update, delete, null
+from sqlalchemy import select, update, delete
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload

@ -309,19 +309,37 @@ class RbacRepository(BaseRepository):
                        return True  # only allow if the path is the original path or the ACE is set to propagate
        return False

-    async def check_user_has_privilege(self, user_id: UUID, path: str, privilege_name: str) -> bool:
+    async def _get_resources_in_pools(self, aces, path: str = None) -> List[models.Resource]:
+        """
+        Get all resources in pools.
        """
-        Resource paths form a file system like tree and privileges can be inherited by paths down that tree
-        (the propagate field is True by default)

-        The following inheritance rules are used:
+        pool_resources = []
+        for ace_path, ace_propagate, ace_allowed, ace_privilege in aces:
+            if ace_path.startswith("/pool"):
+                resource_pool_id = ace_path.split("/")[2]
+                query = select(models.Resource). \
+                    join(models.Resource.resource_pools). \
+                    filter(models.ResourcePool.resource_pool_id == resource_pool_id)

-        * Privileges for individual users always replace group privileges.
-        * Privileges for groups apply when the user is member of that group.
-        * Privileges on deeper levels replace those inherited from an upper level.
+                result = await self._db_session.execute(query)
+                resources = result.scalars().all()
+
+                for resource in resources:
+                    # we only support projects in resource pools for now
+                    if resource.resource_type == "project":
+                        if path:
+                            if path.startswith(f"/projects/{resource.resource_id}"):
+                                pool_resources.append(resource)
+                        else:
+                            pool_resources.append(resource)
+        return pool_resources
+
+    async def _get_user_aces(self, user_id: UUID, privilege_name: str):
+        """
+        Retrieve all user ACEs matching the user_id and privilege name.
        """

-        # retrieve all user ACEs matching the user_id and privilege name
        query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name).\
            join(models.Privilege.roles).\
            join(models.Role.acl_entries).\
@ -331,16 +349,13 @@ class RbacRepository(BaseRepository):
            order_by(models.ACE.path.desc())

        result = await self._db_session.execute(query)
-        aces = result.all()
+        return result.all()

-        try:
-            if self._check_path_with_aces(path, aces):
-                # the user has an ACE matching the path and privilege,there is no need to check group ACEs
-                return True
-        except PermissionError:
-            return False
+    async def _get_group_aces(self, user_id: UUID, privilege_name: str):
+        """
+        Retrieve all group ACEs matching the user_id and privilege name.
+        """

-        # retrieve all group ACEs matching the user_id and privilege name
        query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name). \
            join(models.Privilege.roles). \
            join(models.Role.acl_entries). \
@ -350,9 +365,59 @@ class RbacRepository(BaseRepository):
            filter(models.Privilege.name == privilege_name)

        result = await self._db_session.execute(query)
-        aces = result.all()
+        return result.all()
+
+    async def get_user_pool_resources(self, user_id: UUID, privilege_name: str) -> List[models.Resource]:
+        """
+        Get all resources in pools belonging to a user and groups
+        """
+
+        user_aces = await self._get_user_aces(user_id, privilege_name)
+        pool_resources = await self._get_resources_in_pools(user_aces)
+        group_aces = await self._get_group_aces(user_id, privilege_name)
+        pool_resources.extend(await self._get_resources_in_pools(group_aces))
+        return list(set(pool_resources))

+    async def check_user_has_privilege(self, user_id: UUID, path: str, privilege_name: str) -> bool:
+        """
+        Resource paths form a file system like tree and privileges can be inherited by paths down that tree
+        (the propagate field is True by default)
+
+        The following inheritance rules are used:
+
+        * Privileges for individual users always replace group privileges.
+        * Privileges for groups apply when the user is member of that group.
+        * Privileges on deeper levels replace those inherited from an upper level.
+        """
+
+        query = select(models.Resource)
+        result = await self._db_session.execute(query)
+        resources = result.scalars().all()
+        projects_in_pools = [f"/projects/{r.resource_id}" for r in resources if r.resource_type == "project"]
+        path_is_in_pool = False
+        for project_in_pool in projects_in_pools:
+            if path.startswith(project_in_pool):
+                path_is_in_pool = True
+                break
+
+        aces = await self._get_user_aces(user_id, privilege_name)
+        try:
+            if path_is_in_pool:
+                if await self._get_resources_in_pools(aces, path):
+                    return True
+            elif self._check_path_with_aces(path, aces):
+                # the user has an ACE matching the path and privilege, there is no need to check group ACEs
+                return True
+        except PermissionError:
+            return False
+
+        aces = await self._get_group_aces(user_id, privilege_name)
        try:
-            return self._check_path_with_aces(path, aces)
+            if path_is_in_pool:
+                if await self._get_resources_in_pools(aces, path):
+                    return True
+            elif self._check_path_with_aces(path, aces):
+                return True
        except PermissionError:
            return False
+        return False
--- a/gns3server/schemas/init.py
+++ b/gns3server/schemas/init.py
@ -31,6 +31,7 @@ from .controller.nodes import NodeCreate, NodeUpdate, NodeDuplicate, NodeCapture
 from .controller.projects import ProjectCreate, ProjectUpdate, ProjectDuplicate, Project, ProjectFile, ProjectCompression
 from .controller.users import UserCreate, UserUpdate, LoggedInUserUpdate, User, Credentials, UserGroupCreate, UserGroupUpdate, UserGroup
 from .controller.rbac import RoleCreate, RoleUpdate, Role, Privilege, ACECreate, ACEUpdate, ACE
+from .controller.pools import Resource, ResourceCreate, ResourcePoolCreate, ResourcePoolUpdate, ResourcePool
 from .controller.tokens import Token
 from .controller.snapshots import SnapshotCreate, Snapshot
 from .controller.iou_license import IOULicense
--- a/gns3server/schemas/controller/pools.py
+++ b/gns3server/schemas/controller/pools.py
@ -0,0 +1,81 @@
+#
+# Copyright (C) 2020 GNS3 Technologies Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from typing import Optional
+from pydantic import ConfigDict, BaseModel, Field
+from uuid import UUID
+from enum import Enum
+
+from .base import DateTimeModelMixin
+
+
+class ResourceType(str, Enum):
+
+    project = "project"
+
+
+class ResourceBase(BaseModel):
+    """
+    Common resource properties.
+    """
+
+    resource_id: UUID
+    resource_type: ResourceType = Field(..., description="Type of the resource")
+    name: Optional[str] = None
+    model_config = ConfigDict(use_enum_values=True)
+
+
+class ResourceCreate(ResourceBase):
+    """
+    Properties to create a resource.
+    """
+
+    pass
+
+
+class Resource(DateTimeModelMixin, ResourceBase):
+
+    model_config = ConfigDict(from_attributes=True)
+
+
+class ResourcePoolBase(BaseModel):
+    """
+    Common resource pool properties.
+    """
+
+    name: str
+
+
+class ResourcePoolCreate(ResourcePoolBase):
+    """
+    Properties to create a resource pool.
+    """
+
+    pass
+
+
+class ResourcePoolUpdate(ResourcePoolBase):
+    """
+    Properties to update a resource pool.
+    """
+
+    pass
+
+
+class ResourcePool(DateTimeModelMixin, ResourcePoolBase):
+
+    resource_pool_id: UUID
+    model_config = ConfigDict(from_attributes=True)
--- a/tests/api/routes/controller/test_pools.py
+++ b/tests/api/routes/controller/test_pools.py
@ -0,0 +1,183 @@
+#!/usr/bin/env python
+#
+# Copyright (C) 2023 GNS3 Technologies Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import uuid
+import pytest
+import pytest_asyncio
+
+from fastapi import FastAPI, status
+from httpx import AsyncClient
+
+from sqlalchemy.ext.asyncio import AsyncSession
+from gns3server.db.repositories.pools import ResourcePoolsRepository
+from gns3server.controller import Controller
+from gns3server.controller.project import Project
+from gns3server.schemas.controller.pools import ResourceCreate, ResourcePoolCreate
+
+pytestmark = pytest.mark.asyncio
+
+
+class TestPoolRoutes:
+
+    async def test_resource_pool(self, app: FastAPI, client: AsyncClient) -> None:
+
+        new_group = {"name": "pool1"}
+        response = await client.post(app.url_path_for("create_resource_pool"), json=new_group)
+        assert response.status_code == status.HTTP_201_CREATED
+
+    async def test_get_resource_pool(self, app: FastAPI, client: AsyncClient, db_session: AsyncSession) -> None:
+
+        pools_repo = ResourcePoolsRepository(db_session)
+        pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
+        response = await client.get(app.url_path_for("get_resource_pool", resource_pool_id=pool_in_db.resource_pool_id))
+        assert response.status_code == status.HTTP_200_OK
+        assert response.json()["resource_pool_id"] == str(pool_in_db.resource_pool_id)
+
+    async def test_list_resource_pools(self, app: FastAPI, client: AsyncClient) -> None:
+
+        response = await client.get(app.url_path_for("get_resource_pools"))
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()) == 1
+
+    async def test_update_resource_pool(self, app: FastAPI, client: AsyncClient, db_session: AsyncSession) -> None:
+
+        pools_repo = ResourcePoolsRepository(db_session)
+        pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
+
+        update_pool = {"name": "pool42"}
+        response = await client.put(
+            app.url_path_for("update_resource_pool", resource_pool_id=pool_in_db.resource_pool_id),
+            json=update_pool
+        )
+        assert response.status_code == status.HTTP_200_OK
+        updated_pool_in_db = await pools_repo.get_resource_pool(pool_in_db.resource_pool_id)
+        assert updated_pool_in_db.name == "pool42"
+
+    async def test_resource_group(
+            self,
+            app: FastAPI,
+            client: AsyncClient,
+            db_session: AsyncSession
+    ) -> None:
+
+        pools_repo = ResourcePoolsRepository(db_session)
+        pool_in_db = await pools_repo.get_resource_pool_by_name("pool42")
+        response = await client.delete(app.url_path_for("delete_resource_pool", resource_pool_id=pool_in_db.resource_pool_id))
+        assert response.status_code == status.HTTP_204_NO_CONTENT
+
+
+class TestResourcesPoolRoutes:
+
+    @pytest_asyncio.fixture
+    async def project(self, app: FastAPI, client: AsyncClient, controller: Controller) -> Project:
+        project_id = str(uuid.uuid4())
+        params = {"name": "test", "project_id": project_id}
+        await client.post(app.url_path_for("create_project"), json=params)
+        return controller.get_project(project_id)
+
+    async def test_add_resource_to_pool(
+            self,
+            app: FastAPI,
+            client: AsyncClient,
+            db_session: AsyncSession,
+            project: Project
+    ) -> None:
+
+        pools_repo = ResourcePoolsRepository(db_session)
+        new_resource_pool = ResourcePoolCreate(
+            name="pool1",
+        )
+        pool_in_db = await pools_repo.create_resource_pool(new_resource_pool)
+        response = await client.put(
+            app.url_path_for(
+                "add_resource_to_pool",
+                resource_pool_id=pool_in_db.resource_pool_id,
+                resource_id=str(project.id)
+            )
+        )
+        assert response.status_code == status.HTTP_204_NO_CONTENT
+        resources = await pools_repo.get_pool_resources(pool_in_db.resource_pool_id)
+        assert len(resources) == 1
+        assert str(resources[0].resource_id) == project.id
+
+    async def test_add_to_resource_already_in_resource_pool(
+            self,
+            app: FastAPI,
+            client: AsyncClient,
+            db_session: AsyncSession,
+            project: Project
+    ) -> None:
+
+        pools_repo = ResourcePoolsRepository(db_session)
+        pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
+        resource_create = ResourceCreate(resource_id=project.id, resource_type="project")
+        resource = await pools_repo.create_resource(resource_create)
+        await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource)
+
+        response = await client.put(
+            app.url_path_for(
+                "add_resource_to_pool",
+                resource_pool_id=pool_in_db.resource_pool_id,
+                resource_id=str(resource.resource_id)
+            )
+        )
+        assert response.status_code == status.HTTP_400_BAD_REQUEST
+
+    async def test_get_pool_resources(
+            self,
+            app: FastAPI,
+            client: AsyncClient,
+            db_session: AsyncSession
+    ) -> None:
+
+        pools_repo = ResourcePoolsRepository(db_session)
+        pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
+        response = await client.get(
+            app.url_path_for(
+                "get_pool_resources",
+                resource_pool_id=pool_in_db.resource_pool_id)
+        )
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()) == 2
+
+    async def test_remove_resource_from_pool(
+            self,
+            app: FastAPI,
+            client: AsyncClient,
+            db_session: AsyncSession,
+            project: Project
+    ) -> None:
+
+        pools_repo = ResourcePoolsRepository(db_session)
+        pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
+        resource_create = ResourceCreate(resource_id=project.id, resource_type="project")
+        resource = await pools_repo.create_resource(resource_create)
+        await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource)
+
+        resources = await pools_repo.get_pool_resources(pool_in_db.resource_pool_id)
+        assert len(resources) == 3
+
+        response = await client.delete(
+            app.url_path_for(
+                "remove_resource_from_pool",
+                resource_pool_id=pool_in_db.resource_pool_id,
+                resource_id=str(project.id)
+            ),
+        )
+        assert response.status_code == status.HTTP_204_NO_CONTENT
+        resources = await pools_repo.get_pool_resources(pool_in_db.resource_pool_id)
+        assert len(resources) == 2
--- a/tests/controller/test_rbac.py
+++ b/tests/controller/test_rbac.py
@ -17,14 +17,18 @@

 import pytest
 import pytest_asyncio
+import uuid

 from fastapi import FastAPI, status
 from httpx import AsyncClient

 from sqlalchemy.ext.asyncio import AsyncSession
+from gns3server.controller import Controller
 from gns3server.db.repositories.rbac import RbacRepository
 from gns3server.db.repositories.users import UsersRepository
+from gns3server.db.repositories.pools import ResourcePoolsRepository
 from gns3server.schemas.controller.rbac import ACECreate
+from gns3server.schemas.controller.pools import ResourceCreate, ResourcePoolCreate
 from gns3server.db.models import User

 pytestmark = pytest.mark.asyncio
@ -128,6 +132,113 @@ class TestPrivileges:
        authorized = await RbacRepository(db_session).check_user_has_privilege(test_user.user_id, path, privilege)
        assert authorized is True

+
+class TestResourcePools:
+
+    async def test_resource_pool(self, test_user: User, db_session: AsyncSession):
+
+        project_id = uuid.uuid4()
+        project_name = "project42"
+
+        pools_repo = ResourcePoolsRepository(db_session)
+        new_resource_pool = ResourcePoolCreate(name="pool1")
+        pool_in_db = await pools_repo.create_resource_pool(new_resource_pool)
+
+        resource_create = ResourceCreate(resource_id=project_id, resource_type="project", name=project_name)
+        resource = await pools_repo.create_resource(resource_create)
+        await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource)
+
+        group_id = (await UsersRepository(db_session).get_user_group_by_name("Users")).user_group_id
+        role_id = (await RbacRepository(db_session).get_role_by_name("User")).role_id
+        ace = ACECreate(
+            path=f"/pools/{pool_in_db.resource_pool_id}",
+            ace_type="group",
+            propagate=False,
+            group_id=str(group_id),
+            role_id=str(role_id)
+        )
+        await RbacRepository(db_session).create_ace(ace)
+
+        privilege = "Project.Audit"
+        path = f"/projects/{project_id}"
+        authorized = await RbacRepository(db_session).check_user_has_privilege(test_user.user_id, path, privilege)
+        assert authorized is True
+
+    async def test_list_projects_in_resource_pool(
+            self,
+            app: FastAPI,
+            controller: Controller,
+            authorized_client: AsyncClient,
+            db_session: AsyncSession
+    ) -> None:
+
+        uuid1 = str(uuid.uuid4())
+        uuid2 = str(uuid.uuid4())
+        uuid3 = str(uuid.uuid4())
+        await controller.add_project(project_id=uuid1, name="Project1")
+        await controller.add_project(project_id=uuid2, name="Project2")
+        await controller.add_project(project_id=uuid3, name="Project3")
+
+        # user has no access to projects (no ACE on /projects or resource pools)
+        response = await authorized_client.get(app.url_path_for("get_projects"))
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()) == 0
+
+        pools_repo = ResourcePoolsRepository(db_session)
+        new_resource_pool = ResourcePoolCreate(name="pool2")
+        pool_in_db = await pools_repo.create_resource_pool(new_resource_pool)
+
+        resource_create = ResourceCreate(resource_id=uuid2, resource_type="project", name="Project2")
+        resource = await pools_repo.create_resource(resource_create)
+        await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource)
+
+        group_id = (await UsersRepository(db_session).get_user_group_by_name("Users")).user_group_id
+        role_id = (await RbacRepository(db_session).get_role_by_name("User")).role_id
+        ace = ACECreate(
+            path=f"/pools/{pool_in_db.resource_pool_id}",
+            ace_type="group",
+            propagate=False,
+            group_id=str(group_id),
+            role_id=str(role_id)
+        )
+        await RbacRepository(db_session).create_ace(ace)
+
+        response = await authorized_client.get(app.url_path_for("get_project", project_id=uuid2))
+        assert response.status_code == status.HTTP_200_OK
+        assert response.json()["name"] == "Project2"
+
+        # user should only see one project because it is in the resource pool he has access to
+        response = await authorized_client.get(app.url_path_for("get_projects"))
+        assert response.status_code == status.HTTP_200_OK
+        projects = response.json()
+        assert len(projects) == 1
+        assert projects[0]["project_id"] == uuid2
+
+        ace = ACECreate(
+            path=f"/projects",
+            ace_type="group",
+            propagate=True,
+            group_id=str(group_id),
+            role_id=str(role_id)
+        )
+        await RbacRepository(db_session).create_ace(ace)
+
+        # now user should see all projects because he has access to /projects and the resource pool
+        response = await authorized_client.get(app.url_path_for("get_projects"))
+        assert response.status_code == status.HTTP_200_OK
+        projects = response.json()
+        assert len(projects) == 3
+
+        await RbacRepository(db_session).delete_all_ace_starting_with_path(f"/pools/{pool_in_db.resource_pool_id}")
+        response = await authorized_client.get(app.url_path_for("get_project", project_id=uuid2))
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+
+        # now user should only see the projects that are not in a resource pool
+        response = await authorized_client.get(app.url_path_for("get_projects"))
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()) == 2
+
+
 # class TestProjectsWithRbac:
 #
 #     async def test_admin_create_project(self, app: FastAPI, client: AsyncClient):