From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com,
Samuel Rufinatscha <s.rufinatscha@proxmox.com>
Subject: partially-applied: [PATCH proxmox{-backup,,-datacenter-manager} v7 00/11] token-shadow: reduce api token verification overhead
Date: Thu, 19 Mar 2026 13:26:26 +0100 [thread overview]
Message-ID: <1773921586.9wosknv4cp.astroid@yuna.none> (raw)
In-Reply-To: <20260312103708.125282-1-s.rufinatscha@proxmox.com>
On March 12, 2026 11:36 am, Samuel Rufinatscha wrote:
> Hi,
>
> [..]
>
> Patch summary
>
> pbs-config:
> 0001 – pbs-config: add token.shadow generation to ConfigVersionCache
> 0002 – pbs-config: cache verified API token secrets
> 0003 – pbs-config: invalidate token-secret cache on token.shadow
> changes
> 0004 – pbs-config: add TTL window to token-secret cache
applied these, with some follow-ups as discussed off-list
> proxmox-access-control:
> 0005 – access-control: extend AccessControlConfig for token.shadow invalidation
> 0006 – access-control: cache verified API token secrets
> 0007 – access-control: invalidate token-secret cache on token.shadow changes
> 0008 – access-control: add TTL window to token-secret cache
>
> proxmox-datacenter-manager:
> 0009 – pdm-config: add token.shadow generation to ConfigVersionCache
> 0010 – docs: document API token-cache TTL effects
> 0011 – pdm-config: wire user+acl cache generation
skipped these for now - I think the split between the traits there makes
things a bit too intertwined while sort of pretending they are separate.
we probably would have noticed earlier that things aren't cleanly
separated if PDM had wired up user.cfg/acl.cfg caching ;)
we should probably split the two traits completely, instead of nesting:
- one for the ACL-related parts needed by the UI, guarded by the `acl`
feature
- one for the user.cfg/token.shadow and caching related parts, guarded
by the `impl` feature
with an `init` call each consuming them (or one consuming the acl one,
and second impl-one consuming both?).
neither of these traits is used by the product code itself, except for
implementing them to tell proxmox-access-control about product-specific
bits, so having two traits allows properly separating the concerns on
the product side.
it would probably also make sense to include the follow-ups (which are
mostly renaming things) to make it easier to at some point switch the
PBS code over to proxmox-access-control..
> Maintainer Notes:
> * proxmox-access-control trait split: permissions now live in
> AccessControlPermissions, and AccessControlConfig now requires
> fn permissions(&self) -> &dyn AccessControlPermissions ->
> version bump
> * Renames ConfigVersionCache`s pub user_cache_generation and
> increase_user_cache_generation -> version bump
> * Adds parking_lot::RwLock dependency in PBS and proxmox-access-control
>
> This version and the version before only incorporate the reviewers'
> feedback [4][5][6], also please consider Christian's R-b tag [4].
>
> [1] https://bugzilla.proxmox.com/show_bug.cgi?id=7017
> [2] attachment 1767 [1]: Flamegraph showing the proxmox_sys::crypt::verify_crypt_pw stack
> [3] https://bugzilla.proxmox.com/show_bug.cgi?id=6049
> [4] https://lore.proxmox.com/pbs-devel/20260121151408.731516-1-s.rufinatscha@proxmox.com/T/#t
> [5] https://lore.proxmox.com/pbs-devel/20260217111229.78661-1-s.rufinatscha@proxmox.com/T/#t
> [6] https://lore.proxmox.com/pbs-devel/725687dd-5a35-41ed-af62-6dc9f062cbd4@proxmox.com/T/#t
>
> proxmox-backup:
>
> Samuel Rufinatscha (4):
> pbs-config: add token.shadow generation to ConfigVersionCache
> pbs-config: cache verified API token secrets
> pbs-config: invalidate token-secret cache on token.shadow changes
> pbs-config: add TTL window to token secret cache
>
> Cargo.toml | 1 +
> docs/user-management.rst | 4 +
> pbs-config/Cargo.toml | 1 +
> pbs-config/src/config_version_cache.rs | 18 ++
> pbs-config/src/token_shadow.rs | 314 ++++++++++++++++++++++++-
> 5 files changed, 335 insertions(+), 3 deletions(-)
>
>
> proxmox:
>
> Samuel Rufinatscha (4):
> proxmox-access-control: split AccessControlConfig and add token.shadow
> gen
> proxmox-access-control: cache verified API token secrets
> proxmox-access-control: invalidate token-secret cache on token.shadow
> changes
> proxmox-access-control: add TTL window to token secret cache
>
> Cargo.toml | 1 +
> proxmox-access-control/Cargo.toml | 1 +
> proxmox-access-control/src/acl.rs | 10 +-
> proxmox-access-control/src/init.rs | 113 ++++++--
> proxmox-access-control/src/token_shadow.rs | 315 ++++++++++++++++++++-
> 5 files changed, 413 insertions(+), 27 deletions(-)
>
>
> proxmox-datacenter-manager:
>
> Samuel Rufinatscha (3):
> pdm-config: implement token.shadow generation
> docs: document API token-cache TTL effects
> pdm-config: wire user+acl cache generation
>
> cli/admin/src/main.rs | 2 +-
> docs/access-control.rst | 4 +++
> lib/pdm-api-types/src/acl.rs | 4 +--
> lib/pdm-config/Cargo.toml | 1 +
> lib/pdm-config/src/access_control.rs | 31 ++++++++++++++++++++
> lib/pdm-config/src/config_version_cache.rs | 34 +++++++++++++++++-----
> lib/pdm-config/src/lib.rs | 2 ++
> server/src/acl.rs | 3 +-
> ui/src/main.rs | 10 ++++++-
> 9 files changed, 77 insertions(+), 14 deletions(-)
> create mode 100644 lib/pdm-config/src/access_control.rs
>
>
> Summary over all repositories:
> 19 files changed, 825 insertions(+), 44 deletions(-)
>
> --
> Generated by git-murpp 0.8.1
>
>
>
>
>
prev parent reply other threads:[~2026-03-19 12:26 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 10:36 Samuel Rufinatscha
2026-03-12 10:36 ` [PATCH proxmox-backup v7 1/4] pbs-config: add token.shadow generation to ConfigVersionCache Samuel Rufinatscha
2026-03-12 10:36 ` [PATCH proxmox-backup v7 2/4] pbs-config: cache verified API token secrets Samuel Rufinatscha
2026-03-12 10:36 ` [PATCH proxmox-backup v7 3/4] pbs-config: invalidate token-secret cache on token.shadow changes Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox-backup v7 4/4] pbs-config: add TTL window to token secret cache Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox v7 1/4] proxmox-access-control: split AccessControlConfig and add token.shadow gen Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox v7 2/4] proxmox-access-control: cache verified API token secrets Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox v7 3/4] proxmox-access-control: invalidate token-secret cache on token.shadow changes Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox v7 4/4] proxmox-access-control: add TTL window to token secret cache Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox-datacenter-manager v7 1/3] pdm-config: implement token.shadow generation Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox-datacenter-manager v7 2/3] docs: document API token-cache TTL effects Samuel Rufinatscha
2026-03-12 10:37 ` [PATCH proxmox-datacenter-manager v7 3/3] pdm-config: wire user+acl cache generation Samuel Rufinatscha
2026-03-19 12:26 ` Fabian Grünbichler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1773921586.9wosknv4cp.astroid@yuna.none \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=s.rufinatscha@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox