From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id E33091FF187 for ; Mon, 28 Jul 2025 09:58:53 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 4C0A61C8C2; Mon, 28 Jul 2025 10:00:17 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Date: Mon, 28 Jul 2025 09:59:57 +0200 Message-ID: <20250728075957.314427-4-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250728075957.314427-1-c.ebner@proxmox.com> References: <20250728075957.314427-1-c.ebner@proxmox.com> MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1753689604225 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.955 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_MAILER 2 Automated Mailer Tag Left in Email SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH proxmox-backup 3/3] config: s3: relax permissions to acl subpaths of '/system/s3-endpoint' X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" Currently the permissions to read/list s3 endpoint configurations require Sys.Audit, editing requires Sys.Modiy, both on the root path. Switch the privileges to be less restrictive by allowing to set the permissions on `/system/s3-endpoint/{id}` or `/system/s3-endpoint`. By this, the permissions can be controlled with more fine tuning, e.g. allowing to limit read access to a subset of the configured s3 endpoints. Note, this is independent from the permissions to backup/modify contents on a datastore. A user does not need to read the s3 endpoint configuration to perform datastore operations. Signed-off-by: Christian Ebner --- src/api2/config/s3.rs | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/src/api2/config/s3.rs b/src/api2/config/s3.rs index 04b801028..e4804eb72 100644 --- a/src/api2/config/s3.rs +++ b/src/api2/config/s3.rs @@ -11,10 +11,11 @@ use proxmox_s3_client::{ use proxmox_schema::{api, param_bail, ApiType}; use pbs_api_types::{ - DataStoreConfig, DatastoreBackendConfig, DatastoreBackendType, JOB_ID_SCHEMA, PRIV_SYS_AUDIT, - PRIV_SYS_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA, + Authid, DataStoreConfig, DatastoreBackendConfig, DatastoreBackendType, JOB_ID_SCHEMA, + PRIV_SYS_AUDIT, PRIV_SYS_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA, }; use pbs_config::s3::{self, S3_CFG_TYPE_ID}; +use pbs_config::CachedUserInfo; #[api( input: { @@ -26,7 +27,8 @@ use pbs_config::s3::{self, S3_CFG_TYPE_ID}; items: { type: S3ClientConfigWithoutSecret }, }, access: { - permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false), + permission: &Permission::Anybody, + description: "List configured s3 endpoints filtered by Sys.Audit privileges", }, )] /// List all s3 client configurations. @@ -34,8 +36,20 @@ pub fn list_s3_client_config( _param: Value, rpcenv: &mut dyn RpcEnvironment, ) -> Result, Error> { + let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?; + let user_info = CachedUserInfo::new()?; + let (config, digest) = s3::config()?; - let list = config.convert_to_typed_array(S3_CFG_TYPE_ID)?; + let list: Vec = config.convert_to_typed_array(S3_CFG_TYPE_ID)?; + + let list = list + .into_iter() + .filter(|endpoint| { + let privs = user_info.lookup_privs(&auth_id, &["system", "s3-endpoint", &endpoint.id]); + privs & PRIV_SYS_AUDIT != 0 + }) + .collect(); + rpcenv["digest"] = hex::encode(digest).into(); Ok(list) @@ -59,7 +73,7 @@ pub fn list_s3_client_config( }, }, access: { - permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false), + permission: &Permission::Privilege(&["system", "s3-endpoint"], PRIV_SYS_MODIFY, false), }, )] /// Create a new s3 client configuration. @@ -97,7 +111,7 @@ pub fn create_s3_client_config( }, returns: { type: S3ClientConfigWithoutSecret }, access: { - permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false), + permission: &Permission::Privilege(&["system", "s3-endpoint", "{id}"], PRIV_SYS_AUDIT, false), }, )] /// Read an s3 client configuration. @@ -158,7 +172,7 @@ pub enum DeletableProperty { }, }, access: { - permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false), + permission: &Permission::Privilege(&["system", "s3-endpoint", "{id}"], PRIV_SYS_MODIFY, false), }, )] /// Update an s3 client configuration. @@ -244,7 +258,7 @@ pub fn update_s3_client_config( }, }, access: { - permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false), + permission: &Permission::Privilege(&["system", "s3-endpoint", "{id}"], PRIV_SYS_MODIFY, false), }, )] /// Remove an s3 client configuration. -- 2.47.2 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel