From: Christian Ebner <c.ebner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 3/3] config: s3: relax permissions to acl subpaths of '/system/s3-endpoint'
Date: Mon, 28 Jul 2025 09:59:57 +0200 [thread overview]
Message-ID: <20250728075957.314427-4-c.ebner@proxmox.com> (raw)
In-Reply-To: <20250728075957.314427-1-c.ebner@proxmox.com>
Currently the permissions to read/list s3 endpoint configurations
require Sys.Audit, editing requires Sys.Modiy, both on the root path.
Switch the privileges to be less restrictive by allowing to set the
permissions on `/system/s3-endpoint/{id}` or `/system/s3-endpoint`.
By this, the permissions can be controlled with more fine tuning,
e.g. allowing to limit read access to a subset of the configured s3
endpoints.
Note, this is independent from the permissions to backup/modify
contents on a datastore. A user does not need to read the s3 endpoint
configuration to perform datastore operations.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
src/api2/config/s3.rs | 30 ++++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/src/api2/config/s3.rs b/src/api2/config/s3.rs
index 04b801028..e4804eb72 100644
--- a/src/api2/config/s3.rs
+++ b/src/api2/config/s3.rs
@@ -11,10 +11,11 @@ use proxmox_s3_client::{
use proxmox_schema::{api, param_bail, ApiType};
use pbs_api_types::{
- DataStoreConfig, DatastoreBackendConfig, DatastoreBackendType, JOB_ID_SCHEMA, PRIV_SYS_AUDIT,
- PRIV_SYS_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA,
+ Authid, DataStoreConfig, DatastoreBackendConfig, DatastoreBackendType, JOB_ID_SCHEMA,
+ PRIV_SYS_AUDIT, PRIV_SYS_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA,
};
use pbs_config::s3::{self, S3_CFG_TYPE_ID};
+use pbs_config::CachedUserInfo;
#[api(
input: {
@@ -26,7 +27,8 @@ use pbs_config::s3::{self, S3_CFG_TYPE_ID};
items: { type: S3ClientConfigWithoutSecret },
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+ permission: &Permission::Anybody,
+ description: "List configured s3 endpoints filtered by Sys.Audit privileges",
},
)]
/// List all s3 client configurations.
@@ -34,8 +36,20 @@ pub fn list_s3_client_config(
_param: Value,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<S3ClientConfigWithoutSecret>, Error> {
+ let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
+ let user_info = CachedUserInfo::new()?;
+
let (config, digest) = s3::config()?;
- let list = config.convert_to_typed_array(S3_CFG_TYPE_ID)?;
+ let list: Vec<S3ClientConfigWithoutSecret> = config.convert_to_typed_array(S3_CFG_TYPE_ID)?;
+
+ let list = list
+ .into_iter()
+ .filter(|endpoint| {
+ let privs = user_info.lookup_privs(&auth_id, &["system", "s3-endpoint", &endpoint.id]);
+ privs & PRIV_SYS_AUDIT != 0
+ })
+ .collect();
+
rpcenv["digest"] = hex::encode(digest).into();
Ok(list)
@@ -59,7 +73,7 @@ pub fn list_s3_client_config(
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&["system", "s3-endpoint"], PRIV_SYS_MODIFY, false),
},
)]
/// Create a new s3 client configuration.
@@ -97,7 +111,7 @@ pub fn create_s3_client_config(
},
returns: { type: S3ClientConfigWithoutSecret },
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+ permission: &Permission::Privilege(&["system", "s3-endpoint", "{id}"], PRIV_SYS_AUDIT, false),
},
)]
/// Read an s3 client configuration.
@@ -158,7 +172,7 @@ pub enum DeletableProperty {
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&["system", "s3-endpoint", "{id}"], PRIV_SYS_MODIFY, false),
},
)]
/// Update an s3 client configuration.
@@ -244,7 +258,7 @@ pub fn update_s3_client_config(
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&["system", "s3-endpoint", "{id}"], PRIV_SYS_MODIFY, false),
},
)]
/// Remove an s3 client configuration.
--
2.47.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-07-28 7:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-28 7:59 [pbs-devel] [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths Christian Ebner
2025-07-28 7:59 ` [pbs-devel] [PATCH proxmox-backup 1/3] pbs-config: acls: add s3-endpoint as valid 'system' subpath Christian Ebner
2025-07-28 7:59 ` [pbs-devel] [PATCH proxmox-backup 2/3] ui: expose s3-endpoint as acl subpath for 'system' Christian Ebner
2025-07-28 7:59 ` Christian Ebner [this message]
2025-08-05 13:12 ` [pbs-devel] applied: [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250728075957.314427-4-c.ebner@proxmox.com \
--to=c.ebner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.