From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [RFC proxmox-backup 00/15] API tokens
Date: Mon, 19 Oct 2020 09:39:04 +0200 [thread overview]
Message-ID: <20201019073919.588521-1-f.gruenbichler@proxmox.com> (raw)
sending as RFC since there are a few implementation details up for
discussion while I struggle with the JS/GUI part ;)
it's mostly modeled after API tokens in PVE, with two differences:
- tokens are always privilege separated
- the user+token list returns full tokenids, not token names
first three patches are just cleanups that fell out of developing this
series.
missing/room for follow-ups:
- allow setting arbitrary ACLs for tokens (since they are restricted to
the permissions of the user anyway)
- cache authenticated tokens to avoid round trip through hashing/shadow
file?
- GUI
Fabian Grünbichler (15):
fix indentation
fix typos
REST: rename token to csrf_token
Userid: extend schema with token name
add ApiToken to user.cfg and CachedUserInfo
config: add token.shadow file
REST: extract and handle API tokens
api: add API token endpoints
api: allow listing users + tokens
api: add permissions endpoint
client: allow using ApiToken + secret
owner checks: handle backups owned by API tokens
tasks: allow unpriv users to read their tokens' tasks
manager: add token commands
manager: add user permissions command
src/api2/access.rs | 99 +++++-
src/api2/access/acl.rs | 2 +-
src/api2/access/user.rs | 450 ++++++++++++++++++++++++-
src/api2/admin/datastore.rs | 134 +++++---
src/api2/backup.rs | 3 +-
src/api2/config/remote.rs | 4 +-
src/api2/node/tasks.rs | 30 +-
src/api2/reader.rs | 3 +-
src/api2/types/mod.rs | 15 +-
src/api2/types/userid.rs | 367 +++++++++++++++++---
src/bin/proxmox-backup-client.rs | 6 +-
src/bin/proxmox_backup_manager/acl.rs | 2 +-
src/bin/proxmox_backup_manager/user.rs | 129 +++++++
src/client/http_client.rs | 41 ++-
src/config.rs | 1 +
src/config/acl.rs | 67 ++--
src/config/cached_user_info.rs | 65 +++-
src/config/remote.rs | 2 +-
src/config/token_shadow.rs | 79 +++++
src/config/user.rs | 98 +++++-
src/server/rest.rs | 71 ++--
21 files changed, 1443 insertions(+), 225 deletions(-)
create mode 100644 src/config/token_shadow.rs
--
2.20.1
next reply other threads:[~2020-10-19 7:39 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-19 7:39 Fabian Grünbichler [this message]
2020-10-19 7:39 ` [pbs-devel] [PATCH proxmox-backup 01/15] fix indentation Fabian Grünbichler
2020-10-19 12:00 ` [pbs-devel] applied: " Thomas Lamprecht
2020-10-19 7:39 ` [pbs-devel] [PATCH proxmox-backup 02/15] fix typos Fabian Grünbichler
2020-10-19 12:01 ` [pbs-devel] applied: " Thomas Lamprecht
2020-10-19 7:39 ` [pbs-devel] [PATCH proxmox-backup 03/15] REST: rename token to csrf_token Fabian Grünbichler
2020-10-19 12:02 ` [pbs-devel] applied: " Thomas Lamprecht
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 04/15] Userid: extend schema with token name Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 05/15] add ApiToken to user.cfg and CachedUserInfo Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 06/15] config: add token.shadow file Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 07/15] REST: extract and handle API tokens Fabian Grünbichler
2020-10-20 8:34 ` Wolfgang Bumiller
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 08/15] api: add API token endpoints Fabian Grünbichler
2020-10-20 9:42 ` Wolfgang Bumiller
2020-10-20 10:15 ` Wolfgang Bumiller
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 09/15] api: allow listing users + tokens Fabian Grünbichler
2020-10-20 10:10 ` Wolfgang Bumiller
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 10/15] api: add permissions endpoint Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 11/15] client: allow using ApiToken + secret Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 12/15] owner checks: handle backups owned by API tokens Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 13/15] tasks: allow unpriv users to read their tokens' tasks Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 14/15] manager: add token commands Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 15/15] manager: add user permissions command Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201019073919.588521-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal