From: Samuel Rufinatscha <s.rufinatscha@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox{,-datacenter-manager} v8 0/9] token-shadow: reduce api token verification overhead
Date: Thu, 9 Apr 2026 17:54:20 +0200 [thread overview]
Message-ID: <20260409155437.312760-1-s.rufinatscha@proxmox.com> (raw)
Hi,
This series mirrors the token secret caching approach from PBS [0] for
PDM through proxmox-access-control.
Since PDM implements permissions in pdm-api-types and cache/generation
hooks in pdm-config, the trait needed to be split. This series
introduces a separate AccessControlBackend trait
(gated behind cfg(feature = "impl")) for the cache and token.shadow
generation hooks, and moves init_user_config there as well. PDM wires
the backend via init_separate(), which accepts the two traits
independently.
This series also wires the existing but previously not wired user and
ACL generation.
Testing
I verified that this series mirrors the already applied PBS patches
including follow-ups by comparing patch diffs.
Functionally-wise, I tested if:
* valid tokens authenticate correctly when used in API requests
* invalid secrets are rejected as before
* generating a new token secret via dashboard (create token for user,
regenerate existing secret) works and authenticates correctly
* disabling the token or removing ACL permissions stops accepting
requests
Patch 1 - 6 generally mirror the already applied PBS patches in
proxmox-access-control including follow-ups (thanks @Fabian).
Patch 7 - 9 focus on PDM its AccessControlBackend implementation and
wires the cache generations.
Maintainer Notes:
* proxmox-access-control trait split -> version bump
* Renames ConfigVersionCache`s pub user_cache_generation and
increase_user_cache_generation -> version bump
* Adds parking_lot::RwLock dependency in proxmox-access-control
[0] https://lore.proxmox.com/pbs-devel/20260312103708.125282-1-s.rufinatscha@proxmox.com/T/#t
proxmox:
Samuel Rufinatscha (6):
token shadow: split AccessControlConfig and add token.shadow
generation
token shadow: cache verified API token secrets
token shadow: invalidate token-secret cache on token.shadow changes
token shadow: add TTL window to token secret cache
token shadow: inline set_secret fn
token shadow: deduplicate more code into apply_api_mutation
Cargo.toml | 1 +
proxmox-access-control/Cargo.toml | 1 +
proxmox-access-control/src/acl.rs | 4 +-
.../src/cached_user_info.rs | 4 +-
proxmox-access-control/src/init.rs | 113 ++++--
proxmox-access-control/src/lib.rs | 2 +-
proxmox-access-control/src/token_shadow.rs | 324 ++++++++++++++++--
proxmox-access-control/src/user.rs | 6 +-
8 files changed, 396 insertions(+), 59 deletions(-)
proxmox-datacenter-manager:
Samuel Rufinatscha (3):
pdm-config: implement access control backend hooks
pdm-config: wire user and ACL cache generation
pdm-config: wire token.shadow generation
cli/admin/src/main.rs | 3 +-
docs/access-control.rst | 4 ++
lib/pdm-api-types/src/acl.rs | 26 +----------
lib/pdm-config/Cargo.toml | 1 +
lib/pdm-config/src/access_control.rs | 51 ++++++++++++++++++++++
lib/pdm-config/src/config_version_cache.rs | 34 +++++++++++----
lib/pdm-config/src/lib.rs | 2 +
server/src/acl.rs | 10 ++++-
8 files changed, 95 insertions(+), 36 deletions(-)
create mode 100644 lib/pdm-config/src/access_control.rs
Summary over all repositories:
16 files changed, 491 insertions(+), 95 deletions(-)
--
Generated by git-murpp 0.8.1
next reply other threads:[~2026-04-09 15:54 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 15:54 Samuel Rufinatscha [this message]
2026-04-09 15:54 ` [PATCH proxmox v8 1/6] token shadow: split AccessControlConfig and add token.shadow generation Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 2/6] token shadow: cache verified API token secrets Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 3/6] token shadow: invalidate token-secret cache on token.shadow changes Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 4/6] token shadow: add TTL window to token secret cache Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 5/6] token shadow: inline set_secret fn Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 6/6] token shadow: deduplicate more code into apply_api_mutation Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox-datacenter-manager v8 1/3] pdm-config: implement access control backend hooks Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox-datacenter-manager v8 2/3] pdm-config: wire user and ACL cache generation Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox-datacenter-manager v8 3/3] pdm-config: wire token.shadow generation Samuel Rufinatscha
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409155437.312760-1-s.rufinatscha@proxmox.com \
--to=s.rufinatscha@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.