From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 5A84A1FF187 for ; Mon, 28 Jul 2025 09:59:20 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 4CA881C931; Mon, 28 Jul 2025 10:00:44 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Date: Mon, 28 Jul 2025 09:59:54 +0200 Message-ID: <20250728075957.314427-1-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.2 MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1753689603495 X-SPAM-LEVEL: Spam detection results: 0 AWL -1.105 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_MAILER 2 Automated Mailer Tag Left in Email POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" This patch series relaxes the currently rather strict permissions required to read/list/edit/delete the s3 endpoint configurations. Instead of requiring either Sys.Audit or Sys.Modify on the root path, allow to define permissions on the /system/s3-endpoint and /system/s3-endpoint/{id} sub-path. By this, the permissions can be set more flexible. Note: These permissions are independent from operations on datastores backed by s3 backend, the client does not need to access the config in any way via the api, as s3 client instantiation is handled by the backend itself. For example, allow `user@pbs` to edit all s3 endpoints: acl:1:/system/s3-endpoint:user@pbs:Admin Allow `user@pbs` to list/read `aws-s3` endpoint only: acl:1:/system/s3-endpoint/aws-s3:user@pbs:Audit Christian Ebner (3): pbs-config: acls: add s3-endpoint as valid 'system' subpath ui: expose s3-endpoint as acl subpath for 'system' config: s3: relax permissions to acl subpaths of '/system/s3-endpoint' pbs-config/src/acl.rs | 6 ++++++ src/api2/config/s3.rs | 30 ++++++++++++++++++++++-------- www/form/PermissionPathSelector.js | 1 + 3 files changed, 29 insertions(+), 8 deletions(-) -- 2.47.2 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel