From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [RFC proxmox-backup 00/15] API tokens
Date: Mon, 19 Oct 2020 09:39:04 +0200 [thread overview]
Message-ID: <20201019073919.588521-1-f.gruenbichler@proxmox.com> (raw)
sending as RFC since there are a few implementation details up for
discussion while I struggle with the JS/GUI part ;)
it's mostly modeled after API tokens in PVE, with two differences:
- tokens are always privilege separated
- the user+token list returns full tokenids, not token names
first three patches are just cleanups that fell out of developing this
series.
missing/room for follow-ups:
- allow setting arbitrary ACLs for tokens (since they are restricted to
the permissions of the user anyway)
- cache authenticated tokens to avoid round trip through hashing/shadow
file?
- GUI
Fabian Grünbichler (15):
fix indentation
fix typos
REST: rename token to csrf_token
Userid: extend schema with token name
add ApiToken to user.cfg and CachedUserInfo
config: add token.shadow file
REST: extract and handle API tokens
api: add API token endpoints
api: allow listing users + tokens
api: add permissions endpoint
client: allow using ApiToken + secret
owner checks: handle backups owned by API tokens
tasks: allow unpriv users to read their tokens' tasks
manager: add token commands
manager: add user permissions command
src/api2/access.rs | 99 +++++-
src/api2/access/acl.rs | 2 +-
src/api2/access/user.rs | 450 ++++++++++++++++++++++++-
src/api2/admin/datastore.rs | 134 +++++---
src/api2/backup.rs | 3 +-
src/api2/config/remote.rs | 4 +-
src/api2/node/tasks.rs | 30 +-
src/api2/reader.rs | 3 +-
src/api2/types/mod.rs | 15 +-
src/api2/types/userid.rs | 367 +++++++++++++++++---
src/bin/proxmox-backup-client.rs | 6 +-
src/bin/proxmox_backup_manager/acl.rs | 2 +-
src/bin/proxmox_backup_manager/user.rs | 129 +++++++
src/client/http_client.rs | 41 ++-
src/config.rs | 1 +
src/config/acl.rs | 67 ++--
src/config/cached_user_info.rs | 65 +++-
src/config/remote.rs | 2 +-
src/config/token_shadow.rs | 79 +++++
src/config/user.rs | 98 +++++-
src/server/rest.rs | 71 ++--
21 files changed, 1443 insertions(+), 225 deletions(-)
create mode 100644 src/config/token_shadow.rs
--
2.20.1
next reply other threads:[~2020-10-19 7:39 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-19 7:39 Fabian Grünbichler [this message]
2020-10-19 7:39 ` [pbs-devel] [PATCH proxmox-backup 01/15] fix indentation Fabian Grünbichler
2020-10-19 12:00 ` [pbs-devel] applied: " Thomas Lamprecht
2020-10-19 7:39 ` [pbs-devel] [PATCH proxmox-backup 02/15] fix typos Fabian Grünbichler
2020-10-19 12:01 ` [pbs-devel] applied: " Thomas Lamprecht
2020-10-19 7:39 ` [pbs-devel] [PATCH proxmox-backup 03/15] REST: rename token to csrf_token Fabian Grünbichler
2020-10-19 12:02 ` [pbs-devel] applied: " Thomas Lamprecht
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 04/15] Userid: extend schema with token name Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 05/15] add ApiToken to user.cfg and CachedUserInfo Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 06/15] config: add token.shadow file Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 07/15] REST: extract and handle API tokens Fabian Grünbichler
2020-10-20 8:34 ` Wolfgang Bumiller
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 08/15] api: add API token endpoints Fabian Grünbichler
2020-10-20 9:42 ` Wolfgang Bumiller
2020-10-20 10:15 ` Wolfgang Bumiller
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 09/15] api: allow listing users + tokens Fabian Grünbichler
2020-10-20 10:10 ` Wolfgang Bumiller
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 10/15] api: add permissions endpoint Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 11/15] client: allow using ApiToken + secret Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 12/15] owner checks: handle backups owned by API tokens Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 13/15] tasks: allow unpriv users to read their tokens' tasks Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 14/15] manager: add token commands Fabian Grünbichler
2020-10-19 7:39 ` [pbs-devel] [RFC proxmox-backup 15/15] manager: add user permissions command Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201019073919.588521-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox