From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pdm-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 868531FF13A
	for <inbox@lore.proxmox.com>; Wed, 24 Jun 2026 14:45:58 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 5930517F33;
	Wed, 24 Jun 2026 14:45:57 +0200 (CEST)
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Date: Wed, 24 Jun 2026 14:45:52 +0200
Message-Id: <DJHAG3M3K76G.2QXW1USKV61KN@proxmox.com>
Subject: Re: [PATCH datacenter-manager 1/3] server: api: access: add
 endpoints for configuring pdm and pam realms
From: "Shan Shaji" <s.shaji@proxmox.com>
To: "Shannon Sterz" <s.sterz@proxmox.com>, <pdm-devel@lists.proxmox.com>
X-Mailer: aerc 0.20.0
References: <20260618102126.177217-1-s.sterz@proxmox.com>
 <20260618102126.177217-2-s.sterz@proxmox.com>
In-Reply-To: <20260618102126.177217-2-s.sterz@proxmox.com>
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1782305149156
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.148 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: VKBH352HTBEZALNGL3PLYNUCLOLYHROH
X-Message-ID-Hash: VKBH352HTBEZALNGL3PLYNUCLOLYHROH
X-MailFrom: s.shaji@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Datacenter Manager development discussion
 <pdm-devel.lists.proxmox.com>
List-Help: <mailto:pdm-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pdm-devel-owner@lists.proxmox.com>
List-Post: <mailto:pdm-devel@lists.proxmox.com>
List-Subscribe: <mailto:pdm-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pdm-devel-leave@lists.proxmox.com>

On Thu Jun 18, 2026 at 12:21 PM CEST, Shannon Sterz wrote:
> this allows users to set those realms as default realms and also
> allows editing their comments.
>
> also makes sure that the pam and pdm realms exist in the domains.cfg
>
> Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
> ---
>  lib/pdm-api-types/src/lib.rs                  |  96 ++++++++++++++
>  lib/pdm-config/src/domains.rs                 |  37 +++++-
>  server/src/api/access/domains.rs              |  16 +--
>  server/src/api/config/access/mod.rs           |   4 +
>  server/src/api/config/access/pam.rs           | 119 ++++++++++++++++++
>  server/src/api/config/access/pdm.rs           | 119 ++++++++++++++++++
>  .../bin/proxmox-datacenter-privileged-api.rs  |   1 +
>  7 files changed, 375 insertions(+), 17 deletions(-)
>  create mode 100644 server/src/api/config/access/pam.rs
>  create mode 100644 server/src/api/config/access/pdm.rs
>

[...]

> diff --git a/server/src/api/config/access/pdm.rs b/server/src/api/config/=
access/pdm.rs
> new file mode 100644
> index 00000000..e35cba0c
> --- /dev/null
> +++ b/server/src/api/config/access/pdm.rs
> @@ -0,0 +1,119 @@
> +use ::serde::{Deserialize, Serialize};

small nit: Do we need the `::` symbol here?

> +use anyhow::Error;
> +
> +use proxmox_config_digest::ConfigDigest;
> +use proxmox_router::{Permission, Router, RpcEnvironment};
> +use proxmox_schema::api;
> +
> +use pdm_api_types::{PRIV_REALM_ALLOCATE, PRIV_SYS_AUDIT, PdmRealmConfig,=
 PdmRealmConfigUpdater};
> +use pdm_config::domains;
> +
> +#[api(
> +    returns: {
> +        type: PdmRealmConfig,
> +    },
> +    access: {
> +        permission: &Permission::Privilege(&["access", "domains"], PRIV_=
SYS_AUDIT, false),
> +    },
> +)]
> +/// Read the Proxmox Datacenter Manager authentication server realm conf=
iguration
> +pub fn read_pdm_realm(rpcenv: &mut dyn RpcEnvironment) -> Result<PdmReal=
mConfig, Error> {
> +    let (domains, digest) =3D domains::config()?;
> +
> +    let config =3D domains.lookup("pdm", "pdm")?;
> +
> +    rpcenv["digest"] =3D digest.to_hex().into();
> +
> +    Ok(config)
> +}
> +
> +#[api]
> +#[derive(Serialize, Deserialize)]
> +#[serde(rename_all =3D "kebab-case")]
> +/// Deletable property name
> +pub enum DeletableProperty {
> +    /// Delete the comment property.
> +    Comment,
> +    /// Delete the default property.
> +    Default,
> +}
> +
> +#[api(
> +    protected: true,
> +    input: {
> +        properties: {
> +            update: {
> +                type: PdmRealmConfigUpdater,
> +                flatten: true,
> +            },
> +            delete: {
> +                description: "List of properties to delete.",
> +                type: Array,
> +                optional: true,
> +                items: {
> +                    type: DeletableProperty,
> +                }
> +            },
> +            digest: {
> +                optional: true,
> +                type: ConfigDigest,
> +            },
> +        },
> +    },
> +    returns: {
> +        type: PdmRealmConfig,
> +    },
> +    access: {
> +        permission: &Permission::Privilege(&["access", "domains"], PRIV_=
REALM_ALLOCATE, false),
> +    },
> +)]
> +/// Update the Proxmox Datacenter Manager authentication server realm co=
nfiguration
> +pub fn update_pdm_realm(
> +    update: PdmRealmConfigUpdater,
> +    delete: Option<Vec<DeletableProperty>>,
> +    digest: Option<ConfigDigest>,
> +    _rpcenv: &mut dyn RpcEnvironment,
> +) -> Result<(), Error> {
> +    let _lock =3D domains::lock_config()?;
> +
> +    let (mut domains, expected_digest) =3D domains::config()?;
> +
> +    expected_digest.detect_modification(digest.as_ref())?;
> +
> +    let mut config: PdmRealmConfig =3D domains.lookup("pdm", "pdm")?;
> +
> +    if let Some(delete) =3D delete {
> +        for delete_prop in delete {
> +            match delete_prop {
> +                DeletableProperty::Comment =3D> config.comment =3D None,
> +                DeletableProperty::Default =3D> config.default =3D None,
> +            }
> +        }
> +    }
> +
> +    if let Some(comment) =3D update.comment {
> +        let comment =3D comment.trim().to_string();
> +        if comment.is_empty() {
> +            config.comment =3D None;
> +        } else {
> +            config.comment =3D Some(comment);
> +        }
> +    }
> +
> +    if let Some(true) =3D update.default {
> +        pdm_config::domains::unset_default_realm(&mut domains)?;
> +        config.default =3D Some(true);
> +    } else {
> +        config.default =3D None;
> +    }
> +
> +    domains.set_data("pdm", "pdm", &config)?;
> +
> +    domains::save_config(&domains)?;
> +
> +    Ok(())
> +}
> +
> +pub const ROUTER: Router =3D Router::new()
> +    .get(&API_METHOD_READ_PDM_REALM)
> +    .put(&API_METHOD_UPDATE_PDM_REALM);
> diff --git a/server/src/bin/proxmox-datacenter-privileged-api.rs b/server=
/src/bin/proxmox-datacenter-privileged-api.rs
> index fdc4e8a9..59d30513 100644
> --- a/server/src/bin/proxmox-datacenter-privileged-api.rs
> +++ b/server/src/bin/proxmox-datacenter-privileged-api.rs
> @@ -118,6 +118,7 @@ async fn run() -> Result<(), Error> {
>      auth::init(true);
> =20
>      proxmox_acme_api::init(configdir!("/acme"), true)?;
> +    pdm_config::domains::add_default_realms()?;
> =20
>      let api_user =3D pdm_config::api_user()?;
>      let mut command_sock =3D proxmox_daemon::command_socket::CommandSock=
et::new(api_user.gid);