From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 95E75608E7 for ; Mon, 19 Oct 2020 09:39:58 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8F591297FA for ; Mon, 19 Oct 2020 09:39:28 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 10326297E4 for ; Mon, 19 Oct 2020 09:39:25 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id C5AB145D69 for ; Mon, 19 Oct 2020 09:39:24 +0200 (CEST) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pbs-devel@lists.proxmox.com Date: Mon, 19 Oct 2020 09:39:04 +0200 Message-Id: <20201019073919.588521-1-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.033 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [RFC proxmox-backup 00/15] API tokens X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Oct 2020 07:39:58 -0000 sending as RFC since there are a few implementation details up for discussion while I struggle with the JS/GUI part ;) it's mostly modeled after API tokens in PVE, with two differences: - tokens are always privilege separated - the user+token list returns full tokenids, not token names first three patches are just cleanups that fell out of developing this series. missing/room for follow-ups: - allow setting arbitrary ACLs for tokens (since they are restricted to the permissions of the user anyway) - cache authenticated tokens to avoid round trip through hashing/shadow file? - GUI Fabian Grünbichler (15): fix indentation fix typos REST: rename token to csrf_token Userid: extend schema with token name add ApiToken to user.cfg and CachedUserInfo config: add token.shadow file REST: extract and handle API tokens api: add API token endpoints api: allow listing users + tokens api: add permissions endpoint client: allow using ApiToken + secret owner checks: handle backups owned by API tokens tasks: allow unpriv users to read their tokens' tasks manager: add token commands manager: add user permissions command src/api2/access.rs | 99 +++++- src/api2/access/acl.rs | 2 +- src/api2/access/user.rs | 450 ++++++++++++++++++++++++- src/api2/admin/datastore.rs | 134 +++++--- src/api2/backup.rs | 3 +- src/api2/config/remote.rs | 4 +- src/api2/node/tasks.rs | 30 +- src/api2/reader.rs | 3 +- src/api2/types/mod.rs | 15 +- src/api2/types/userid.rs | 367 +++++++++++++++++--- src/bin/proxmox-backup-client.rs | 6 +- src/bin/proxmox_backup_manager/acl.rs | 2 +- src/bin/proxmox_backup_manager/user.rs | 129 +++++++ src/client/http_client.rs | 41 ++- src/config.rs | 1 + src/config/acl.rs | 67 ++-- src/config/cached_user_info.rs | 65 +++- src/config/remote.rs | 2 +- src/config/token_shadow.rs | 79 +++++ src/config/user.rs | 98 +++++- src/server/rest.rs | 71 ++-- 21 files changed, 1443 insertions(+), 225 deletions(-) create mode 100644 src/config/token_shadow.rs -- 2.20.1