From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 335131FF16B for ; Fri, 26 Sep 2025 08:33:37 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5312782E4; Fri, 26 Sep 2025 08:34:09 +0200 (CEST) From: Christian Ebner To: pdm-devel@lists.proxmox.com Date: Fri, 26 Sep 2025 08:33:12 +0200 Message-ID: <20250926063312.27000-1-c.ebner@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1758868399558 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.042 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [remotes.rs] Subject: [pdm-devel] [PATCH datacenter-manager] server: remotes: add acls to PBS API token on token creation X-BeenThere: pdm-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Datacenter Manager development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pdm-devel-bounces@lists.proxmox.com Sender: "pdm-devel" PBS requires the token to have a role for a given ACL path to allow access to the corresponding sub-resource. In order to provide the token created by the remote add wizard the necessary permissions, adapt the client code so it also performs the additional API calls. Adapt the internal API such that there is additional type checking instead of using plain strings and extend it such that multiple acls can be set if required, to be future prove. Signed-off-by: Christian Ebner --- server/src/api/remotes.rs | 6 ++++-- server/src/pbs_client.rs | 27 +++++++++++++++++++++++---- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/server/src/api/remotes.rs b/server/src/api/remotes.rs index 033aa7c..9624542 100644 --- a/server/src/api/remotes.rs +++ b/server/src/api/remotes.rs @@ -5,6 +5,7 @@ use std::error::Error as _; use anyhow::{bail, format_err, Error}; use serde::{Deserialize, Serialize}; +use pbs_api_types::Role; use proxmox_access_control::CachedUserInfo; use proxmox_router::{ http_bail, http_err, list_subdirs_api_method, Permission, Router, RpcEnvironment, SubdirMap, @@ -164,13 +165,14 @@ pub async fn add_remote(mut entry: Remote, create_token: Option) -> Resu let token = client .create_token( - &entry.authid.to_string(), - &create_token, + entry.authid.user().to_owned(), + pbs_api_types::Tokenname::try_from(create_token)?, pbs_client::CreateToken { comment, enable: Some(true), expire: None, }, + &[("/datastore", Role::DatastoreAudit)], ) .await .map_err(short_create_err)?; diff --git a/server/src/pbs_client.rs b/server/src/pbs_client.rs index def9a4a..24e0c05 100644 --- a/server/src/pbs_client.rs +++ b/server/src/pbs_client.rs @@ -8,6 +8,7 @@ use anyhow::bail; // don't import Error as default error in here use http_body_util::BodyExt; use serde::Deserialize; +use pbs_api_types::Role; use proxmox_client::{ApiPathBuilder, Error, HttpApiClient}; use proxmox_router::stream::JsonRecords; use proxmox_schema::api; @@ -148,12 +149,30 @@ impl PbsClient { /// create a pbs token pub async fn create_token( &self, - userid: &str, - tokenid: &str, + userid: pbs_api_types::Userid, + tokenid: pbs_api_types::Tokenname, params: CreateToken, + acls: &[(&str, Role)], ) -> Result { - let path = format!("/api2/extjs/access/users/{userid}/token/{tokenid}"); - Ok(self.0.post(&path, ¶ms).await?.expect_json()?.data) + let path = format!( + "/api2/extjs/access/users/{}/token/{}", + userid.as_str(), + tokenid.as_str(), + ); + let response = self.0.post(&path, ¶ms).await?.expect_json()?.data; + + let auth_id = pbs_api_types::Authid::from((userid, Some(tokenid))); + for (acl_path, role) in acls { + let params = serde_json::json!({ + "path": acl_path, + "auth-id": auth_id, + "role": role, + "propagate": true, + }); + self.0.put("/api2/extjs/access/acl", ¶ms).await?; + } + + Ok(response) } /// Return the status the Proxmox Backup Server instance -- 2.47.3 _______________________________________________ pdm-devel mailing list pdm-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel