* [pbs-devel] [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths
@ 2025-07-28 7:59 Christian Ebner
2025-07-28 7:59 ` [pbs-devel] [PATCH proxmox-backup 1/3] pbs-config: acls: add s3-endpoint as valid 'system' subpath Christian Ebner
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Christian Ebner @ 2025-07-28 7:59 UTC (permalink / raw)
To: pbs-devel
This patch series relaxes the currently rather strict permissions
required to read/list/edit/delete the s3 endpoint configurations.
Instead of requiring either Sys.Audit or Sys.Modify on the root path,
allow to define permissions on the /system/s3-endpoint and
/system/s3-endpoint/{id} sub-path. By this, the permissions can be
set more flexible.
Note: These permissions are independent from operations on datastores
backed by s3 backend, the client does not need to access the config
in any way via the api, as s3 client instantiation is handled by the
backend itself.
For example, allow `user@pbs` to edit all s3 endpoints:
acl:1:/system/s3-endpoint:user@pbs:Admin
Allow `user@pbs` to list/read `aws-s3` endpoint only:
acl:1:/system/s3-endpoint/aws-s3:user@pbs:Audit
Christian Ebner (3):
pbs-config: acls: add s3-endpoint as valid 'system' subpath
ui: expose s3-endpoint as acl subpath for 'system'
config: s3: relax permissions to acl subpaths of '/system/s3-endpoint'
pbs-config/src/acl.rs | 6 ++++++
src/api2/config/s3.rs | 30 ++++++++++++++++++++++--------
www/form/PermissionPathSelector.js | 1 +
3 files changed, 29 insertions(+), 8 deletions(-)
--
2.47.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pbs-devel] [PATCH proxmox-backup 1/3] pbs-config: acls: add s3-endpoint as valid 'system' subpath
2025-07-28 7:59 [pbs-devel] [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths Christian Ebner
@ 2025-07-28 7:59 ` Christian Ebner
2025-07-28 7:59 ` [pbs-devel] [PATCH proxmox-backup 2/3] ui: expose s3-endpoint as acl subpath for 'system' Christian Ebner
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Christian Ebner @ 2025-07-28 7:59 UTC (permalink / raw)
To: pbs-devel
Adds a dedicated subpath for the permission checks for s3 endpoint
configurations in the acl path component checks. Allows to set
permissions on either the whole s3 config or for individual endpoint
ids.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
pbs-config/src/acl.rs | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/pbs-config/src/acl.rs b/pbs-config/src/acl.rs
index aca1f68fd..42f419fb5 100644
--- a/pbs-config/src/acl.rs
+++ b/pbs-config/src/acl.rs
@@ -127,6 +127,12 @@ pub fn check_acl_path(path: &str) -> Result<(), Error> {
_ => {}
}
}
+ "s3-endpoint" => {
+ // /system/s3-endpoint/{id}
+ if components_len <= 3 {
+ return Ok(());
+ }
+ }
_ => {}
}
}
--
2.47.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pbs-devel] [PATCH proxmox-backup 2/3] ui: expose s3-endpoint as acl subpath for 'system'
2025-07-28 7:59 [pbs-devel] [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths Christian Ebner
2025-07-28 7:59 ` [pbs-devel] [PATCH proxmox-backup 1/3] pbs-config: acls: add s3-endpoint as valid 'system' subpath Christian Ebner
@ 2025-07-28 7:59 ` Christian Ebner
2025-07-28 7:59 ` [pbs-devel] [PATCH proxmox-backup 3/3] config: s3: relax permissions to acl subpaths of '/system/s3-endpoint' Christian Ebner
2025-08-05 13:12 ` [pbs-devel] applied: [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Christian Ebner @ 2025-07-28 7:59 UTC (permalink / raw)
To: pbs-devel
Allows to select the 's3-endpoint' subpath to restirct permissions to
either the full s3 endpoint configuration or the corresponding
endpoint id.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
www/form/PermissionPathSelector.js | 1 +
1 file changed, 1 insertion(+)
diff --git a/www/form/PermissionPathSelector.js b/www/form/PermissionPathSelector.js
index d2f651a3c..e5f2aec46 100644
--- a/www/form/PermissionPathSelector.js
+++ b/www/form/PermissionPathSelector.js
@@ -20,6 +20,7 @@ Ext.define('PBS.data.PermissionPathsStore', {
{ value: '/system/network/dns' },
{ value: '/system/network/interfaces' },
{ value: '/system/notifications' },
+ { value: '/system/s3-endpoint' },
{ value: '/system/services' },
{ value: '/system/status' },
{ value: '/system/tasks' },
--
2.47.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pbs-devel] [PATCH proxmox-backup 3/3] config: s3: relax permissions to acl subpaths of '/system/s3-endpoint'
2025-07-28 7:59 [pbs-devel] [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths Christian Ebner
2025-07-28 7:59 ` [pbs-devel] [PATCH proxmox-backup 1/3] pbs-config: acls: add s3-endpoint as valid 'system' subpath Christian Ebner
2025-07-28 7:59 ` [pbs-devel] [PATCH proxmox-backup 2/3] ui: expose s3-endpoint as acl subpath for 'system' Christian Ebner
@ 2025-07-28 7:59 ` Christian Ebner
2025-08-05 13:12 ` [pbs-devel] applied: [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Christian Ebner @ 2025-07-28 7:59 UTC (permalink / raw)
To: pbs-devel
Currently the permissions to read/list s3 endpoint configurations
require Sys.Audit, editing requires Sys.Modiy, both on the root path.
Switch the privileges to be less restrictive by allowing to set the
permissions on `/system/s3-endpoint/{id}` or `/system/s3-endpoint`.
By this, the permissions can be controlled with more fine tuning,
e.g. allowing to limit read access to a subset of the configured s3
endpoints.
Note, this is independent from the permissions to backup/modify
contents on a datastore. A user does not need to read the s3 endpoint
configuration to perform datastore operations.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
src/api2/config/s3.rs | 30 ++++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/src/api2/config/s3.rs b/src/api2/config/s3.rs
index 04b801028..e4804eb72 100644
--- a/src/api2/config/s3.rs
+++ b/src/api2/config/s3.rs
@@ -11,10 +11,11 @@ use proxmox_s3_client::{
use proxmox_schema::{api, param_bail, ApiType};
use pbs_api_types::{
- DataStoreConfig, DatastoreBackendConfig, DatastoreBackendType, JOB_ID_SCHEMA, PRIV_SYS_AUDIT,
- PRIV_SYS_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA,
+ Authid, DataStoreConfig, DatastoreBackendConfig, DatastoreBackendType, JOB_ID_SCHEMA,
+ PRIV_SYS_AUDIT, PRIV_SYS_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA,
};
use pbs_config::s3::{self, S3_CFG_TYPE_ID};
+use pbs_config::CachedUserInfo;
#[api(
input: {
@@ -26,7 +27,8 @@ use pbs_config::s3::{self, S3_CFG_TYPE_ID};
items: { type: S3ClientConfigWithoutSecret },
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+ permission: &Permission::Anybody,
+ description: "List configured s3 endpoints filtered by Sys.Audit privileges",
},
)]
/// List all s3 client configurations.
@@ -34,8 +36,20 @@ pub fn list_s3_client_config(
_param: Value,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<S3ClientConfigWithoutSecret>, Error> {
+ let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
+ let user_info = CachedUserInfo::new()?;
+
let (config, digest) = s3::config()?;
- let list = config.convert_to_typed_array(S3_CFG_TYPE_ID)?;
+ let list: Vec<S3ClientConfigWithoutSecret> = config.convert_to_typed_array(S3_CFG_TYPE_ID)?;
+
+ let list = list
+ .into_iter()
+ .filter(|endpoint| {
+ let privs = user_info.lookup_privs(&auth_id, &["system", "s3-endpoint", &endpoint.id]);
+ privs & PRIV_SYS_AUDIT != 0
+ })
+ .collect();
+
rpcenv["digest"] = hex::encode(digest).into();
Ok(list)
@@ -59,7 +73,7 @@ pub fn list_s3_client_config(
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&["system", "s3-endpoint"], PRIV_SYS_MODIFY, false),
},
)]
/// Create a new s3 client configuration.
@@ -97,7 +111,7 @@ pub fn create_s3_client_config(
},
returns: { type: S3ClientConfigWithoutSecret },
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+ permission: &Permission::Privilege(&["system", "s3-endpoint", "{id}"], PRIV_SYS_AUDIT, false),
},
)]
/// Read an s3 client configuration.
@@ -158,7 +172,7 @@ pub enum DeletableProperty {
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&["system", "s3-endpoint", "{id}"], PRIV_SYS_MODIFY, false),
},
)]
/// Update an s3 client configuration.
@@ -244,7 +258,7 @@ pub fn update_s3_client_config(
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&["system", "s3-endpoint", "{id}"], PRIV_SYS_MODIFY, false),
},
)]
/// Remove an s3 client configuration.
--
2.47.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pbs-devel] applied: [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths
2025-07-28 7:59 [pbs-devel] [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths Christian Ebner
` (2 preceding siblings ...)
2025-07-28 7:59 ` [pbs-devel] [PATCH proxmox-backup 3/3] config: s3: relax permissions to acl subpaths of '/system/s3-endpoint' Christian Ebner
@ 2025-08-05 13:12 ` Thomas Lamprecht
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Lamprecht @ 2025-08-05 13:12 UTC (permalink / raw)
To: pbs-devel, Christian Ebner
On Mon, 28 Jul 2025 09:59:54 +0200, Christian Ebner wrote:
> This patch series relaxes the currently rather strict permissions
> required to read/list/edit/delete the s3 endpoint configurations.
>
> Instead of requiring either Sys.Audit or Sys.Modify on the root path,
> allow to define permissions on the /system/s3-endpoint and
> /system/s3-endpoint/{id} sub-path. By this, the permissions can be
> set more flexible.
>
> [...]
Applied, thanks!
[1/3] pbs-config: acls: add s3-endpoint as valid 'system' subpath
commit: 76d938db4dcc479767196b6323f202b29f9cc606
[2/3] ui: expose s3-endpoint as acl subpath for 'system'
commit: 632186b9a02fbe5c64965b95399160afb2c80c1f
[3/3] config: s3: relax permissions to acl subpaths of '/system/s3-endpoint'
commit: 621fd8eaae96c944e391ce10bb4a3f008758e403
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-08-05 13:12 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-07-28 7:59 [pbs-devel] [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths Christian Ebner
2025-07-28 7:59 ` [pbs-devel] [PATCH proxmox-backup 1/3] pbs-config: acls: add s3-endpoint as valid 'system' subpath Christian Ebner
2025-07-28 7:59 ` [pbs-devel] [PATCH proxmox-backup 2/3] ui: expose s3-endpoint as acl subpath for 'system' Christian Ebner
2025-07-28 7:59 ` [pbs-devel] [PATCH proxmox-backup 3/3] config: s3: relax permissions to acl subpaths of '/system/s3-endpoint' Christian Ebner
2025-08-05 13:12 ` [pbs-devel] applied: [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.