From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Samuel Rufinatscha" <s.rufinatscha@proxmox.com>
Cc: Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox-datacenter-manager v3 1/2] pdm-config: implement token.shadow generation
Date: Fri, 16 Jan 2026 17:48:16 +0100 [thread overview]
Message-ID: <DFQ612OAB0QH.33RQ9X3JVTAUO@proxmox.com> (raw)
In-Reply-To: <5eb0fa34-92c2-44e4-8c46-a16d915057a5@proxmox.com>
On Fri Jan 16, 2026 at 5:28 PM CET, Samuel Rufinatscha wrote:
> On 1/14/26 11:44 AM, Fabian Grünbichler wrote:
>> On January 2, 2026 5:07 pm, Samuel Rufinatscha wrote:
>>> PDM depends on the shared proxmox/proxmox-access-control crate for
>>> token.shadow handling, which expects the product to provide a
>>> cross-process invalidation signal so it can safely cache verified API
>>> token secrets and invalidate them when token.shadow is changed.
>>>
>>> This patch
>>>
>>> * adds a token_shadow_generation to PDM’s shared-memory
>>> ConfigVersionCache
>>> * implements proxmox_access_control::init::AccessControlConfig
>>> for pdm_config::AccessControlConfig, which
>>> - delegates roles/privs/path checks to the existing
>>> pdm_api_types::AccessControlConfig implementation
>>> - implements the shadow cache generation trait functions
>>> * switches the AccessControlConfig init paths (server + CLI) to use
>>> pdm_config::AccessControlConfig instead of
>>> pdm_api_types::AccessControlConfig
>>>
>>> This patch is part of the series which fixes bug #7017 [1].
>>>
>>> [1] https://bugzilla.proxmox.com/show_bug.cgi?id=7017
>>>
>>> Signed-off-by: Samuel Rufinatscha <s.rufinatscha@proxmox.com>
>>> ---
>>> cli/admin/src/main.rs | 2 +-
>>> lib/pdm-config/Cargo.toml | 1 +
>>> lib/pdm-config/src/access_control_config.rs | 73 +++++++++++++++++++++
>>> lib/pdm-config/src/config_version_cache.rs | 18 +++++
>>> lib/pdm-config/src/lib.rs | 2 +
>>> server/src/acl.rs | 3 +-
>>> 6 files changed, 96 insertions(+), 3 deletions(-)
>>> create mode 100644 lib/pdm-config/src/access_control_config.rs
>>>
>>> diff --git a/cli/admin/src/main.rs b/cli/admin/src/main.rs
>>> index f698fa2..916c633 100644
>>> --- a/cli/admin/src/main.rs
>>> +++ b/cli/admin/src/main.rs
>>> @@ -19,7 +19,7 @@ fn main() {
>>> proxmox_product_config::init(api_user, priv_user);
>>>
>>> proxmox_access_control::init::init(
>>> - &pdm_api_types::AccessControlConfig,
>>> + &pdm_config::AccessControlConfig,
>>> pdm_buildcfg::configdir!("/access"),
>>> )
>>> .expect("failed to setup access control config");
>>> diff --git a/lib/pdm-config/Cargo.toml b/lib/pdm-config/Cargo.toml
>>> index d39c2ad..19781d2 100644
>>> --- a/lib/pdm-config/Cargo.toml
>>> +++ b/lib/pdm-config/Cargo.toml
>>> @@ -13,6 +13,7 @@ once_cell.workspace = true
>>> openssl.workspace = true
>>> serde.workspace = true
>>>
>>> +proxmox-access-control.workspace = true
>>> proxmox-config-digest = { workspace = true, features = [ "openssl" ] }
>>> proxmox-http = { workspace = true, features = [ "http-helpers" ] }
>>> proxmox-ldap = { workspace = true, features = [ "types" ]}
>>> diff --git a/lib/pdm-config/src/access_control_config.rs b/lib/pdm-config/src/access_control_config.rs
>>> new file mode 100644
>>> index 0000000..6f2e6b3
>>> --- /dev/null
>>> +++ b/lib/pdm-config/src/access_control_config.rs
>>> @@ -0,0 +1,73 @@
>>> +// e.g. in src/main.rs or server::context mod, wherever convenient
>>> +
>>> +use anyhow::Error;
>>> +use pdm_api_types::{Authid, Userid};
>>> +use proxmox_section_config::SectionConfigData;
>>> +use std::collections::HashMap;
>>> +
>>> +pub struct AccessControlConfig;
>>> +
>>> +impl proxmox_access_control::init::AccessControlConfig for AccessControlConfig {
>>
>> should we then remove the impl from the api type?
>>
>
> Thanks for pointing this out Fabian! Currently, /ui/src/main.rs still
> makes use of pdm_api_types::AccessControlConfig. This looks like a WASM
> module, and is based on ticket based auth
> (proxmox_login::Authentication) as far as I can see. Do you maybe know
> if it actually requires the token cache / can work with CVC? If it does
> not, then I think we should keep the API impl. I left this unchanged
> and only touched server and CLI call sites.
i mostly exposed that there to get access to the privileges, roles, and
is_superuser functions. they are needed in the ui to selectively render
ui elements depending on a users privileges.
this should probably be factored out though and shared differently if we
want to extend this trait with more caching functions.
>>> + fn privileges(&self) -> &HashMap<&str, u64> {
>>> + pdm_api_types::AccessControlConfig.privileges()
>>> + }
>>> +
>>> + fn roles(&self) -> &HashMap<&str, (u64, &str)> {
>>> + pdm_api_types::AccessControlConfig.roles()
>>> + }
>>> +
>>> + fn is_superuser(&self, auth_id: &Authid) -> bool {
>>> + pdm_api_types::AccessControlConfig.is_superuser(auth_id)
>>> + }
>>> +
>>> + fn is_group_member(&self, user_id: &Userid, group: &str) -> bool {
>>> + pdm_api_types::AccessControlConfig.is_group_member(user_id, group)
>>> + }
>>> +
>>> + fn role_admin(&self) -> Option<&str> {
>>> + pdm_api_types::AccessControlConfig.role_admin()
>>> + }
>>> +
>>> + fn role_no_access(&self) -> Option<&str> {
>>> + pdm_api_types::AccessControlConfig.role_no_access()
>>> + }
>>> +
>>> + fn init_user_config(&self, config: &mut SectionConfigData) -> Result<(), Error> {
>>> + pdm_api_types::AccessControlConfig.init_user_config(config)
>>> + }
>>> +
>>> + fn acl_audit_privileges(&self) -> u64 {
>>> + pdm_api_types::AccessControlConfig.acl_audit_privileges()
>>> + }
>>> +
>>> + fn acl_modify_privileges(&self) -> u64 {
>>> + pdm_api_types::AccessControlConfig.acl_modify_privileges()
>>> + }
>>> +
>>> + fn check_acl_path(&self, path: &str) -> Result<(), Error> {
>>> + pdm_api_types::AccessControlConfig.check_acl_path(path)
>>> + }
>>> +
>>> + fn allow_partial_permission_match(&self) -> bool {
>>> + pdm_api_types::AccessControlConfig.allow_partial_permission_match()
>>> + }
>>> +
>>> + fn cache_generation(&self) -> Option<usize> {
>>> + pdm_api_types::AccessControlConfig.cache_generation()
>>> + }
>>
>> shouldn't this be wired up to the ConfigVersionCache?
>>
>
> If I understand correctly, cache_generation() and the
> increment_cache_generation() below do not appear to have been wired
> so far, meaning that caches were not enabled. To enable them,
> a PDM AccessControlConfig implementation would probably be required
> (as suggested in this patch) in order to be able integrate with
> ConfigVersionCache.
>
> I think these two functions should be checked, if we want to enabled
> them or not, probably best as part of a dedicated scope? I can create a
> bug report for this.
>
sure, i think it's not too much effort, though. if you split out the
caching parts, the ui should be fine without them. it really has no need
for them afair.
>>> +
>>> + fn increment_cache_generation(&self) -> Result<(), Error> {
>>> + pdm_api_types::AccessControlConfig.increment_cache_generation()
>>
>> shouldn't this be wired up to the ConfigVersionCache?
>>
>>> + }
>>> +
>>> + fn token_shadow_cache_generation(&self) -> Option<usize> {
>>> + crate::ConfigVersionCache::new()
>>> + .ok()
>>> + .map(|c| c.token_shadow_generation())
>>> + }
>>> +
>>> + fn increment_token_shadow_cache_generation(&self) -> Result<usize, Error> {
>>> + let c = crate::ConfigVersionCache::new()?;
>>> + Ok(c.increase_token_shadow_generation())
>>> + }
>>> +}
>>> diff --git a/lib/pdm-config/src/config_version_cache.rs b/lib/pdm-config/src/config_version_cache.rs
>>> index 36a6a77..933140c 100644
>>> --- a/lib/pdm-config/src/config_version_cache.rs
>>> +++ b/lib/pdm-config/src/config_version_cache.rs
>>> @@ -27,6 +27,8 @@ struct ConfigVersionCacheDataInner {
>>> traffic_control_generation: AtomicUsize,
>>> // Tracks updates to the remote/hostname/nodename mapping cache.
>>> remote_mapping_cache: AtomicUsize,
>>> + // Token shadow (token.shadow) generation/version.
>>> + token_shadow_generation: AtomicUsize,
>>
>> explanation why this is safe for the commit message would be nice ;)
>>
>
> Will add :)
>
>>> // Add further atomics here
>>> }
>>>
>>> @@ -172,4 +174,20 @@ impl ConfigVersionCache {
>>> .fetch_add(1, Ordering::Relaxed)
>>> + 1
>>> }
>>> +
>>> + /// Returns the token shadow generation number.
>>> + pub fn token_shadow_generation(&self) -> usize {
>>> + self.shmem
>>> + .data()
>>> + .token_shadow_generation
>>> + .load(Ordering::Acquire)
>>> + }
>>> +
>>> + /// Increase the token shadow generation number.
>>> + pub fn increase_token_shadow_generation(&self) -> usize {
>>> + self.shmem
>>> + .data()
>>> + .token_shadow_generation
>>> + .fetch_add(1, Ordering::AcqRel)
>>> + }
>>> }
>>> diff --git a/lib/pdm-config/src/lib.rs b/lib/pdm-config/src/lib.rs
>>> index 4c49054..a15a006 100644
>>> --- a/lib/pdm-config/src/lib.rs
>>> +++ b/lib/pdm-config/src/lib.rs
>>> @@ -9,6 +9,8 @@ pub mod remotes;
>>> pub mod setup;
>>> pub mod views;
>>>
>>> +mod access_control_config;
>>> +pub use access_control_config::AccessControlConfig;
>>> mod config_version_cache;
>>> pub use config_version_cache::ConfigVersionCache;
>>>
>>> diff --git a/server/src/acl.rs b/server/src/acl.rs
>>> index f421814..e6e007b 100644
>>> --- a/server/src/acl.rs
>>> +++ b/server/src/acl.rs
>>> @@ -1,6 +1,5 @@
>>> pub(crate) fn init() {
>>> - static ACCESS_CONTROL_CONFIG: pdm_api_types::AccessControlConfig =
>>> - pdm_api_types::AccessControlConfig;
>>> + static ACCESS_CONTROL_CONFIG: pdm_config::AccessControlConfig = pdm_config::AccessControlConfig;
>>>
>>> proxmox_access_control::init::init(&ACCESS_CONTROL_CONFIG, pdm_buildcfg::configdir!("/access"))
>>> .expect("failed to setup access control config");
>>> --
>>> 2.47.3
>>>
>>>
>>>
>>> _______________________________________________
>>> pbs-devel mailing list
>>> pbs-devel@lists.proxmox.com
>>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>>>
>>
>>
>> _______________________________________________
>> pbs-devel mailing list
>> pbs-devel@lists.proxmox.com
>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2026-01-16 16:48 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-02 16:07 [pbs-devel] [PATCH proxmox{-backup, , -datacenter-manager} v3 00/10] token-shadow: reduce api token verification overhead Samuel Rufinatscha
2026-01-02 16:07 ` [pbs-devel] [PATCH proxmox-backup v3 1/4] pbs-config: add token.shadow generation to ConfigVersionCache Samuel Rufinatscha
2026-01-14 10:44 ` Fabian Grünbichler
2026-01-16 13:53 ` Samuel Rufinatscha
2026-01-02 16:07 ` [pbs-devel] [PATCH proxmox-backup v3 2/4] pbs-config: cache verified API token secrets Samuel Rufinatscha
2026-01-14 10:44 ` Fabian Grünbichler
2026-01-16 15:13 ` Samuel Rufinatscha
2026-01-16 15:29 ` Fabian Grünbichler
2026-01-16 15:33 ` Samuel Rufinatscha
2026-01-16 16:00 ` Fabian Grünbichler
2026-01-16 16:56 ` Samuel Rufinatscha
2026-01-02 16:07 ` [pbs-devel] [PATCH proxmox-backup v3 3/4] pbs-config: invalidate token-secret cache on token.shadow changes Samuel Rufinatscha
2026-01-14 10:44 ` Fabian Grünbichler
2026-01-02 16:07 ` [pbs-devel] [PATCH proxmox-backup v3 4/4] pbs-config: add TTL window to token secret cache Samuel Rufinatscha
2026-01-02 16:07 ` [pbs-devel] [PATCH proxmox v3 1/4] proxmox-access-control: extend AccessControlConfig for token.shadow invalidation Samuel Rufinatscha
2026-01-02 16:07 ` [pbs-devel] [PATCH proxmox v3 2/4] proxmox-access-control: cache verified API token secrets Samuel Rufinatscha
2026-01-02 16:07 ` [pbs-devel] [PATCH proxmox v3 3/4] proxmox-access-control: invalidate token-secret cache on token.shadow changes Samuel Rufinatscha
2026-01-02 16:07 ` [pbs-devel] [PATCH proxmox v3 4/4] proxmox-access-control: add TTL window to token secret cache Samuel Rufinatscha
2026-01-02 16:07 ` [pbs-devel] [PATCH proxmox-datacenter-manager v3 1/2] pdm-config: implement token.shadow generation Samuel Rufinatscha
2026-01-14 10:45 ` Fabian Grünbichler
2026-01-16 16:28 ` Samuel Rufinatscha
2026-01-16 16:48 ` Shannon Sterz [this message]
2026-01-02 16:07 ` [pbs-devel] [PATCH proxmox-datacenter-manager v3 2/2] docs: document API token-cache TTL effects Samuel Rufinatscha
2026-01-14 10:45 ` Fabian Grünbichler
2026-01-14 11:24 ` Samuel Rufinatscha
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DFQ612OAB0QH.33RQ9X3JVTAUO@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=s.rufinatscha@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.