* [pdm-devel] [PATCH datacenter-manager] server: remotes: add acls to PBS API token on token creation
@ 2025-09-26 6:33 Christian Ebner
2025-09-26 9:56 ` Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Christian Ebner @ 2025-09-26 6:33 UTC (permalink / raw)
To: pdm-devel
PBS requires the token to have a role for a given ACL path to allow
access to the corresponding sub-resource. In order to provide the
token created by the remote add wizard the necessary permissions,
adapt the client code so it also performs the additional API calls.
Adapt the internal API such that there is additional type checking
instead of using plain strings and extend it such that multiple acls
can be set if required, to be future prove.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
server/src/api/remotes.rs | 6 ++++--
server/src/pbs_client.rs | 27 +++++++++++++++++++++++----
2 files changed, 27 insertions(+), 6 deletions(-)
diff --git a/server/src/api/remotes.rs b/server/src/api/remotes.rs
index 033aa7c..9624542 100644
--- a/server/src/api/remotes.rs
+++ b/server/src/api/remotes.rs
@@ -5,6 +5,7 @@ use std::error::Error as _;
use anyhow::{bail, format_err, Error};
use serde::{Deserialize, Serialize};
+use pbs_api_types::Role;
use proxmox_access_control::CachedUserInfo;
use proxmox_router::{
http_bail, http_err, list_subdirs_api_method, Permission, Router, RpcEnvironment, SubdirMap,
@@ -164,13 +165,14 @@ pub async fn add_remote(mut entry: Remote, create_token: Option<String>) -> Resu
let token = client
.create_token(
- &entry.authid.to_string(),
- &create_token,
+ entry.authid.user().to_owned(),
+ pbs_api_types::Tokenname::try_from(create_token)?,
pbs_client::CreateToken {
comment,
enable: Some(true),
expire: None,
},
+ &[("/datastore", Role::DatastoreAudit)],
)
.await
.map_err(short_create_err)?;
diff --git a/server/src/pbs_client.rs b/server/src/pbs_client.rs
index def9a4a..24e0c05 100644
--- a/server/src/pbs_client.rs
+++ b/server/src/pbs_client.rs
@@ -8,6 +8,7 @@ use anyhow::bail; // don't import Error as default error in here
use http_body_util::BodyExt;
use serde::Deserialize;
+use pbs_api_types::Role;
use proxmox_client::{ApiPathBuilder, Error, HttpApiClient};
use proxmox_router::stream::JsonRecords;
use proxmox_schema::api;
@@ -148,12 +149,30 @@ impl PbsClient {
/// create a pbs token
pub async fn create_token(
&self,
- userid: &str,
- tokenid: &str,
+ userid: pbs_api_types::Userid,
+ tokenid: pbs_api_types::Tokenname,
params: CreateToken,
+ acls: &[(&str, Role)],
) -> Result<CreateTokenResponse, Error> {
- let path = format!("/api2/extjs/access/users/{userid}/token/{tokenid}");
- Ok(self.0.post(&path, ¶ms).await?.expect_json()?.data)
+ let path = format!(
+ "/api2/extjs/access/users/{}/token/{}",
+ userid.as_str(),
+ tokenid.as_str(),
+ );
+ let response = self.0.post(&path, ¶ms).await?.expect_json()?.data;
+
+ let auth_id = pbs_api_types::Authid::from((userid, Some(tokenid)));
+ for (acl_path, role) in acls {
+ let params = serde_json::json!({
+ "path": acl_path,
+ "auth-id": auth_id,
+ "role": role,
+ "propagate": true,
+ });
+ self.0.put("/api2/extjs/access/acl", ¶ms).await?;
+ }
+
+ Ok(response)
}
/// Return the status the Proxmox Backup Server instance
--
2.47.3
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [pdm-devel] [PATCH datacenter-manager] server: remotes: add acls to PBS API token on token creation
2025-09-26 6:33 [pdm-devel] [PATCH datacenter-manager] server: remotes: add acls to PBS API token on token creation Christian Ebner
@ 2025-09-26 9:56 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2025-09-26 9:56 UTC (permalink / raw)
To: Proxmox Datacenter Manager development discussion, Christian Ebner
Am 26.09.25 um 08:33 schrieb Christian Ebner:
> PBS requires the token to have a role for a given ACL path to allow
> access to the corresponding sub-resource. In order to provide the
> token created by the remote add wizard the necessary permissions,
> adapt the client code so it also performs the additional API calls.
>
> Adapt the internal API such that there is additional type checking
> instead of using plain strings and extend it such that multiple acls
> can be set if required, to be future prove.
As discussed off list, this was replaced by a similar implementation
I had already prepared locally [0], it differs mostly in:
- setting the admin role to /, not just a audit role, which is not
that useful for the PDM, that way it's also closer to what PVE
does through disabling privilege separation completely (not available
for PBS).
- use an actual type not a serde json Value assembled on the fly.
Thanks nonetheless, this was also helpful to me to cross-check.
[0]; https://git.proxmox.com/?p=proxmox-datacenter-manager.git;a=commitdiff;h=4369771b00173048666c269749c0a61faff83352
_______________________________________________
pdm-devel mailing list
pdm-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-09-26 9:56 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-26 6:33 [pdm-devel] [PATCH datacenter-manager] server: remotes: add acls to PBS API token on token creation Christian Ebner
2025-09-26 9:56 ` Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.