From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com,
Samuel Rufinatscha <s.rufinatscha@proxmox.com>
Subject: partially-applied: [PATCH proxmox{-backup,,-datacenter-manager} v7 00/11] token-shadow: reduce api token verification overhead
Date: Thu, 19 Mar 2026 13:26:26 +0100 [thread overview]
Message-ID: <1773921586.9wosknv4cp.astroid@yuna.none> (raw)
In-Reply-To: <20260312103708.125282-1-s.rufinatscha@proxmox.com>
On March 12, 2026 11:36 am, Samuel Rufinatscha wrote:
> Hi,
>
> [..]
>
> Patch summary
>
> pbs-config:
> 0001 – pbs-config: add token.shadow generation to ConfigVersionCache
> 0002 – pbs-config: cache verified API token secrets
> 0003 – pbs-config: invalidate token-secret cache on token.shadow
> changes
> 0004 – pbs-config: add TTL window to token-secret cache
applied these, with some follow-ups as discussed off-list
> proxmox-access-control:
> 0005 – access-control: extend AccessControlConfig for token.shadow invalidation
> 0006 – access-control: cache verified API token secrets
> 0007 – access-control: invalidate token-secret cache on token.shadow changes
> 0008 – access-control: add TTL window to token-secret cache
>
> proxmox-datacenter-manager:
> 0009 – pdm-config: add token.shadow generation to ConfigVersionCache
> 0010 – docs: document API token-cache TTL effects
> 0011 – pdm-config: wire user+acl cache generation
skipped these for now - I think the split between the traits there makes
things a bit too intertwined while sort of pretending they are separate.
we probably would have noticed earlier that things aren't cleanly
separated if PDM had wired up user.cfg/acl.cfg caching ;)
we should probably split the two traits completely, instead of nesting:
- one for the ACL-related parts needed by the UI, guarded by the `acl`
feature
- one for the user.cfg/token.shadow and caching related parts, guarded
by the `impl` feature
with an `init` call each consuming them (or one consuming the acl one,
and second impl-one consuming both?).
neither of these traits is used by the product code itself, except for
implementing them to tell proxmox-access-control about product-specific
bits, so having two traits allows properly separating the concerns on
the product side.
it would probably also make sense to include the follow-ups (which are
mostly renaming things) to make it easier to at some point switch the
PBS code over to proxmox-access-control..
> Maintainer Notes:
> * proxmox-access-control trait split: permissions now live in
> AccessControlPermissions, and AccessControlConfig now requires
> fn permissions(&self) -> &dyn AccessControlPermissions ->
> version bump
> * Renames ConfigVersionCache`s pub user_cache_generation and
> increase_user_cache_generation -> version bump
> * Adds parking_lot::RwLock dependency in PBS and proxmox-access-control
>
> This version and the version before only incorporate the reviewers'
> feedback [4][5][6], also please consider Christian's R-b tag [4].
>
> [1] https://bugzilla.proxmox.com/show_bug.cgi?id=7017
> [2] attachment 1767 [1]: Flamegraph showing the proxmox_sys::crypt::verify_crypt_pw stack
> [3] https://bugzilla.proxmox.com/show_bug.cgi?id=6049
> [4] https://lore.proxmox.com/pbs-devel/20260121151408.731516-1-s.rufinatscha@proxmox.com/T/#t
> [5] https://lore.proxmox.com/pbs-devel/20260217111229.78661-1-s.rufinatscha@proxmox.com/T/#t
> [6] https://lore.proxmox.com/pbs-devel/725687dd-5a35-41ed-af62-6dc9f062cbd4@proxmox.com/T/#t
>
> proxmox-backup:
>
> Samuel Rufinatscha (4):
> pbs-config: add token.shadow generation to ConfigVersionCache
> pbs-config: cache verified API token secrets
> pbs-config: invalidate token-secret cache on token.shadow changes
> pbs-config: add TTL window to token secret cache
>
> Cargo.toml | 1 +
> docs/user-management.rst | 4 +
> pbs-config/Cargo.toml | 1 +
> pbs-config/src/config_version_cache.rs | 18 ++
> pbs-config/src/token_shadow.rs | 314 ++++++++++++++++++++++++-
> 5 files changed, 335 insertions(+), 3 deletions(-)
>
>
> proxmox:
>
> Samuel Rufinatscha (4):
> proxmox-access-control: split AccessControlConfig and add token.shadow
> gen
> proxmox-access-control: cache verified API token secrets
> proxmox-access-control: invalidate token-secret cache on token.shadow
> changes
> proxmox-access-control: add TTL window to token secret cache
>
> Cargo.toml | 1 +
> proxmox-access-control/Cargo.toml | 1 +
> proxmox-access-control/src/acl.rs | 10 +-
> proxmox-access-control/src/init.rs | 113 ++++++--
> proxmox-access-control/src/token_shadow.rs | 315 ++++++++++++++++++++-
> 5 files changed, 413 insertions(+), 27 deletions(-)
>
>
> proxmox-datacenter-manager:
>
> Samuel Rufinatscha (3):
> pdm-config: implement token.shadow generation
> docs: document API token-cache TTL effects
> pdm-config: wire user+acl cache generation
>
> cli/admin/src/main.rs | 2 +-
> docs/access-control.rst | 4 +++
> lib/pdm-api-types/src/acl.rs | 4 +--
> lib/pdm-config/Cargo.toml | 1 +
> lib/pdm-config/src/access_control.rs | 31 ++++++++++++++++++++
> lib/pdm-config/src/config_version_cache.rs | 34 +++++++++++++++++-----
> lib/pdm-config/src/lib.rs | 2 ++
> server/src/acl.rs | 3 +-
> ui/src/main.rs | 10 ++++++-
> 9 files changed, 77 insertions(+), 14 deletions(-)
> create mode 100644 lib/pdm-config/src/access_control.rs
>
>
> Summary over all repositories:
> 19 files changed, 825 insertions(+), 44 deletions(-)
>
> --
> Generated by git-murpp 0.8.1
>
>
>
>
>
prev parent reply other threads:[~2026-03-19 12:26 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 10:36 Samuel Rufinatscha
2026-03-12 10:36 ` [PATCH proxmox-backup v7 1/4] pbs-config: add token.shadow generation to ConfigVersionCache Samuel Rufinatscha
2026-03-12 10:36 ` [PATCH proxmox-backup v7 2/4] pbs-config: cache verified API token secrets Samuel Rufinatscha
2026-03-12 10:36 ` [PATCH proxmox-backup v7 3/4] pbs-config: invalidate token-secret cache on token.shadow changes Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox-backup v7 4/4] pbs-config: add TTL window to token secret cache Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox v7 1/4] proxmox-access-control: split AccessControlConfig and add token.shadow gen Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox v7 2/4] proxmox-access-control: cache verified API token secrets Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox v7 3/4] proxmox-access-control: invalidate token-secret cache on token.shadow changes Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox v7 4/4] proxmox-access-control: add TTL window to token secret cache Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox-datacenter-manager v7 1/3] pdm-config: implement token.shadow generation Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox-datacenter-manager v7 2/3] docs: document API token-cache TTL effects Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox-datacenter-manager v7 3/3] pdm-config: wire user+acl cache generation Samuel Rufinatscha
2026-03-19 12:26 ` Fabian Grünbichler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1773921586.9wosknv4cp.astroid@yuna.none \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=s.rufinatscha@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.