From: Samuel Rufinatscha <s.rufinatscha@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox-datacenter-manager v8 1/3] pdm-config: implement access control backend hooks
Date: Thu, 9 Apr 2026 17:54:27 +0200 [thread overview]
Message-ID: <20260409155437.312760-8-s.rufinatscha@proxmox.com> (raw)
In-Reply-To: <20260409155437.312760-1-s.rufinatscha@proxmox.com>
Implement AccessControlBackend in pdm-config and move
init_user_config() there from the ACL config in pdm-api-types.
Update server and admin initialization to pass ACL config and backend
separately.
Signed-off-by: Samuel Rufinatscha <s.rufinatscha@proxmox.com>
---
cli/admin/src/main.rs | 3 ++-
lib/pdm-api-types/src/acl.rs | 26 +------------------------
lib/pdm-config/Cargo.toml | 1 +
lib/pdm-config/src/access_control.rs | 29 ++++++++++++++++++++++++++++
lib/pdm-config/src/lib.rs | 2 ++
server/src/acl.rs | 10 ++++++++--
6 files changed, 43 insertions(+), 28 deletions(-)
create mode 100644 lib/pdm-config/src/access_control.rs
diff --git a/cli/admin/src/main.rs b/cli/admin/src/main.rs
index f698fa2..d51f211 100644
--- a/cli/admin/src/main.rs
+++ b/cli/admin/src/main.rs
@@ -18,8 +18,9 @@ fn main() {
let priv_user = pdm_config::priv_user().expect("cannot get privileged user");
proxmox_product_config::init(api_user, priv_user);
- proxmox_access_control::init::init(
+ proxmox_access_control::init::init_separate(
&pdm_api_types::AccessControlConfig,
+ &pdm_config::AccessControlBackend,
pdm_buildcfg::configdir!("/access"),
)
.expect("failed to setup access control config");
diff --git a/lib/pdm-api-types/src/acl.rs b/lib/pdm-api-types/src/acl.rs
index 405982a..0868f3d 100644
--- a/lib/pdm-api-types/src/acl.rs
+++ b/lib/pdm-api-types/src/acl.rs
@@ -2,17 +2,15 @@ use std::collections::HashMap;
use std::str::FromStr;
use std::sync::LazyLock;
-use anyhow::{format_err, Context, Error};
+use anyhow::{format_err, Error};
use const_format::concatcp;
use serde::de::{value, IntoDeserializer};
use serde::{Deserialize, Serialize};
-use proxmox_access_control::types::User;
use proxmox_auth_api::types::Authid;
use proxmox_lang::constnamedbitmap;
use proxmox_schema::api_types::SAFE_ID_REGEX_STR;
use proxmox_schema::{api, const_regex, ApiStringFormat, BooleanSchema, Schema, StringSchema};
-use proxmox_section_config::SectionConfigData;
const_regex! {
pub ACL_PATH_REGEX = concatcp!(r"^(?:/|", r"(?:/", SAFE_ID_REGEX_STR, ")+", r")$");
@@ -224,28 +222,6 @@ impl proxmox_access_control::init::AccessControlConfig for AccessControlConfig {
Some("Administrator")
}
- fn init_user_config(&self, config: &mut SectionConfigData) -> Result<(), Error> {
- if !config.sections.contains_key("root@pam") {
- config
- .set_data(
- "root@pam",
- "user",
- User {
- userid: "root@pam".parse().expect("invalid user id"),
- comment: Some("Superuser".to_string()),
- enable: None,
- expire: None,
- firstname: None,
- lastname: None,
- email: None,
- },
- )
- .context("failed to insert default user into user config")?
- }
-
- Ok(())
- }
-
fn acl_audit_privileges(&self) -> u64 {
PRIV_ACCESS_AUDIT
}
diff --git a/lib/pdm-config/Cargo.toml b/lib/pdm-config/Cargo.toml
index d39c2ad..19781d2 100644
--- a/lib/pdm-config/Cargo.toml
+++ b/lib/pdm-config/Cargo.toml
@@ -13,6 +13,7 @@ once_cell.workspace = true
openssl.workspace = true
serde.workspace = true
+proxmox-access-control.workspace = true
proxmox-config-digest = { workspace = true, features = [ "openssl" ] }
proxmox-http = { workspace = true, features = [ "http-helpers" ] }
proxmox-ldap = { workspace = true, features = [ "types" ]}
diff --git a/lib/pdm-config/src/access_control.rs b/lib/pdm-config/src/access_control.rs
new file mode 100644
index 0000000..0c17c99
--- /dev/null
+++ b/lib/pdm-config/src/access_control.rs
@@ -0,0 +1,29 @@
+use anyhow::{Context, Error};
+use proxmox_access_control::types::User;
+use proxmox_section_config::SectionConfigData;
+
+pub struct AccessControlBackend;
+
+impl proxmox_access_control::init::AccessControlBackend for AccessControlBackend {
+ fn init_user_config(&self, config: &mut SectionConfigData) -> Result<(), Error> {
+ if !config.sections.contains_key("root@pam") {
+ config
+ .set_data(
+ "root@pam",
+ "user",
+ User {
+ userid: "root@pam".parse().expect("invalid user id"),
+ comment: Some("Superuser".to_string()),
+ enable: None,
+ expire: None,
+ firstname: None,
+ lastname: None,
+ email: None,
+ },
+ )
+ .context("failed to insert default user into user config")?
+ }
+
+ Ok(())
+ }
+}
diff --git a/lib/pdm-config/src/lib.rs b/lib/pdm-config/src/lib.rs
index 4c49054..6e5e760 100644
--- a/lib/pdm-config/src/lib.rs
+++ b/lib/pdm-config/src/lib.rs
@@ -9,6 +9,8 @@ pub mod remotes;
pub mod setup;
pub mod views;
+mod access_control;
+pub use access_control::AccessControlBackend;
mod config_version_cache;
pub use config_version_cache::ConfigVersionCache;
diff --git a/server/src/acl.rs b/server/src/acl.rs
index f421814..4150ef4 100644
--- a/server/src/acl.rs
+++ b/server/src/acl.rs
@@ -1,7 +1,13 @@
pub(crate) fn init() {
static ACCESS_CONTROL_CONFIG: pdm_api_types::AccessControlConfig =
pdm_api_types::AccessControlConfig;
+ static ACCESS_CONTROL_BACKEND: pdm_config::AccessControlBackend =
+ pdm_config::AccessControlBackend;
- proxmox_access_control::init::init(&ACCESS_CONTROL_CONFIG, pdm_buildcfg::configdir!("/access"))
- .expect("failed to setup access control config");
+ proxmox_access_control::init::init_separate(
+ &ACCESS_CONTROL_CONFIG,
+ &ACCESS_CONTROL_BACKEND,
+ pdm_buildcfg::configdir!("/access"),
+ )
+ .expect("failed to setup access control config");
}
--
2.47.3
next prev parent reply other threads:[~2026-04-09 15:54 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 15:54 [PATCH proxmox{,-datacenter-manager} v8 0/9] token-shadow: reduce api token verification overhead Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 1/6] token shadow: split AccessControlConfig and add token.shadow generation Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 2/6] token shadow: cache verified API token secrets Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 3/6] token shadow: invalidate token-secret cache on token.shadow changes Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 4/6] token shadow: add TTL window to token secret cache Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 5/6] token shadow: inline set_secret fn Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 6/6] token shadow: deduplicate more code into apply_api_mutation Samuel Rufinatscha
2026-04-09 15:54 ` Samuel Rufinatscha [this message]
2026-04-09 15:54 ` [PATCH proxmox-datacenter-manager v8 2/3] pdm-config: wire user and ACL cache generation Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox-datacenter-manager v8 3/3] pdm-config: wire token.shadow generation Samuel Rufinatscha
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409155437.312760-8-s.rufinatscha@proxmox.com \
--to=s.rufinatscha@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.