From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>,
Dominik Csapak <d.csapak@proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox-backup 1/6] backup: hierarchy: add new can_access_any_namespace_in_range helper
Date: Fri, 3 Oct 2025 11:52:54 +0200 [thread overview]
Message-ID: <28f638cf-5e76-4b68-8594-6860a8ea22b5@proxmox.com> (raw)
In-Reply-To: <20251003085045.1346864-3-d.csapak@proxmox.com>
Am 03.10.25 um 10:50 schrieb Dominik Csapak:
> sometimes we need to check the permissions in a range from a starting
> namespace with a certain depth.
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> src/backup/hierarchy.rs | 27 ++++++++++++++++++++-------
> 1 file changed, 20 insertions(+), 7 deletions(-)
>
> diff --git a/src/backup/hierarchy.rs b/src/backup/hierarchy.rs
> index 8dd71fcf7..438bc3ee3 100644
> --- a/src/backup/hierarchy.rs
> +++ b/src/backup/hierarchy.rs
> @@ -68,19 +68,23 @@ pub fn check_ns_privs_full(
> );
> }
>
> -pub fn can_access_any_namespace(
> +/// Checks if the given user has read/access rights on any namespace on the given datastore,
> +/// beginning with `start_ns` up to `max_depth` below.
> +pub fn can_access_any_namespace_in_range(
I would interpret a range being over a linear list, not a tree, the "below"
you use in the doccomment is already much better fitting, like:
can_access_any_namespace_below
> store: Arc<DataStore>,
> auth_id: &Authid,
> user_info: &CachedUserInfo,
> + start_ns: Option<BackupNamespace>,
nit: start is IMO slightly confusing for the tree-like nature of namespaces, maybe
parent_ns would be better suited?
> + max_depth: Option<usize>,
> ) -> bool {
> + let ns = start_ns.unwrap_or_default();
> // NOTE: traversing the datastore could be avoided if we had an "ACL tree: is there any priv
> // below /datastore/{store}" helper
> - let mut iter =
> - if let Ok(iter) = store.recursive_iter_backup_ns_ok(BackupNamespace::root(), None) {
> - iter
> - } else {
> - return false;
> - };
> + let mut iter = if let Ok(iter) = store.recursive_iter_backup_ns_ok(ns, max_depth) {
> + iter
> + } else {
> + return false;
> + };
This could use let-else, e.g. something like (untested):
let Ok(mut iter) = store.recursive_iter_backup_ns_ok(ns, max_depth) else {
return false;
};
> let wanted =
> PRIV_DATASTORE_AUDIT | PRIV_DATASTORE_MODIFY | PRIV_DATASTORE_READ | PRIV_DATASTORE_BACKUP;
> let name = store.name();
> @@ -90,6 +94,15 @@ pub fn can_access_any_namespace(
> })
> }
>
> +/// Checks if the given user has read/access rights on any namespace on given datastore
> +pub fn can_access_any_namespace(
> + store: Arc<DataStore>,
> + auth_id: &Authid,
> + user_info: &CachedUserInfo,
> +) -> bool {
> + can_access_any_namespace_in_range(store, auth_id, user_info, None, None)
> +}
> +
> /// A privilege aware iterator for all backup groups in all Namespaces below an anchor namespace,
> /// most often that will be the `BackupNamespace::root()` one.
> ///
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-10-03 9:52 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-03 8:50 [pbs-devel] [PATCH proxmox{, -backup} 0/7] introduce streaming content api call Dominik Csapak
2025-10-03 8:50 ` [pbs-devel] [PATCH proxmox 1/1] pbs-api-types: add api types for " Dominik Csapak
2025-10-07 8:59 ` Wolfgang Bumiller
2025-10-08 6:41 ` Dominik Csapak
2025-10-03 8:50 ` [pbs-devel] [PATCH proxmox-backup 1/6] backup: hierarchy: add new can_access_any_namespace_in_range helper Dominik Csapak
2025-10-03 9:52 ` Thomas Lamprecht [this message]
2025-10-03 10:10 ` Dominik Csapak
2025-10-03 10:21 ` Thomas Lamprecht
2025-10-03 8:50 ` [pbs-devel] [PATCH proxmox-backup 2/6] backup: hierarchy: reuse 'NS_PRIVS_OK' for namespace helper Dominik Csapak
2025-10-03 8:50 ` [pbs-devel] [PATCH proxmox-backup 3/6] api: admin: datastore: refactor BackupGroup to GroupListItem conversion Dominik Csapak
2025-10-03 8:50 ` [pbs-devel] [PATCH proxmox-backup 4/6] api: admin: datastore: factor out 'get_group_owner' Dominik Csapak
2025-10-03 8:50 ` [pbs-devel] [PATCH proxmox-backup 5/6] api: admin: datastore: optimize `groups` api call Dominik Csapak
2025-10-03 10:18 ` Thomas Lamprecht
2025-10-03 10:51 ` Dominik Csapak
2025-10-03 12:37 ` Thomas Lamprecht
2025-10-03 8:50 ` [pbs-devel] [PATCH proxmox-backup 6/6] api: admin: datastore: implement streaming content " Dominik Csapak
2025-10-03 11:55 ` Thomas Lamprecht
2025-10-07 12:51 ` Wolfgang Bumiller
2025-10-07 14:22 ` Thomas Lamprecht
2025-10-07 14:31 ` Wolfgang Bumiller
2025-10-07 15:05 ` Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=28f638cf-5e76-4b68-8594-6860a8ea22b5@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=d.csapak@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.