From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id C554461B2A for ; Thu, 22 Oct 2020 11:17:32 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B87171E998 for ; Thu, 22 Oct 2020 11:17:32 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id D3A451E98D for ; Thu, 22 Oct 2020 11:17:31 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id A670445EBF for ; Thu, 22 Oct 2020 11:17:31 +0200 (CEST) Date: Thu, 22 Oct 2020 11:17:29 +0200 From: Oguz Bektas To: Proxmox Backup Server development discussion Message-ID: <20201022091729.GA14703@gaia.proxmox.com> References: <20201021140159.2250193-1-o.bektas@proxmox.com> <1603353403.2oxwp8ptb8.astroid@nora.none> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1603353403.2oxwp8ptb8.astroid@nora.none> User-Agent: Mutt/1.10.1 (2018-07-13) X-SPAM-LEVEL: Spam detection results: 0 AWL 1.060 Adjusted score from AWL reputation of From: address KAM_ASCII_DIVIDERS 0.8 Spam that uses ascii formatting tricks KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [mod.rs, proxmox.com] Subject: Re: [pbs-devel] [PATCH proxmox-backup] add datastore info api call X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Oct 2020 09:17:32 -0000 hi, On Thu, Oct 22, 2020 at 10:02:23AM +0200, Fabian Grünbichler wrote: > > why READ and not AUDIT | BACKUP ? why partial if you only pass a single > privilege? i thought the minimum privilege should be view. one might want to add a datastore where only read access is given to them, to be able to restore backups from it for example. imposing audit/backup privs would prevent this, afaict > > > + }, > > +)] > > +/// Get information about the datastore. > > +/// > > +/// Provides PBS node fingerprint, address and datastore name > > +pub fn info( > > + store: String, > > + _info: &ApiMethod, > > + _rpcenv: &mut dyn RpcEnvironment, > > +) -> Result { > > + let _datastore = DataStore::lookup_datastore(&store)?; > > + let cert = CertInfo::new()?; > > + let fingerprint = cert.fingerprint()?; > > + > > + // get all possible interface IP addresses since there's > > + // no explicit way to tell which is needed > > + let (config, _) = network::config()?; > > + let mut address_list = Vec::new(); > > + for (_ , interface) in config.interfaces.iter() { > > + if let Some(cidr) = &interface.cidr { > > + address_list.push(cidr.to_owned()); > > + } > > + } > > doesn't this leak information that the user would/should not have access > to? I mean, if I can do an API call I already have some way to reach the > PBS server and we could just default to that on the client side.. > possibly it would make sense to declare some interface as the > 'external/public' one and return that if configured, but just returning > all addresses of all interfaces seems a bit much.. yes, i wasn't sure how to handle this since in PVE we just take the corosync link but here it can be any interface. i do like the suggestion to declare an interface the "public" one. but there could be multiple interfaces being utilized as well (like f.e. if the server has 2 addresses on two different subnets, with different datastores). then it would make things harder. i'm open to different suggestions. > > > + > > + let result_item = DataStoreInfo { > > + name: store, > > + address_list, > > + fingerprint, > > + }; > > + > > + Ok(result_item) > > +} > > + > > + > > + > > #[api( > > input: { > > properties: { > > @@ -1673,6 +1723,11 @@ const DATASTORE_INFO_SUBDIRS: SubdirMap = &[ > > &Router::new() > > .get(&API_METHOD_LIST_GROUPS) > > ), > > + ( > > + "info", > > + &Router::new() > > + .get(&API_METHOD_INFO) > > + ), > > ( > > "notes", > > &Router::new() > > diff --git a/src/api2/types/mod.rs b/src/api2/types/mod.rs > > index f97db557..9e61f15c 100644 > > --- a/src/api2/types/mod.rs > > +++ b/src/api2/types/mod.rs > > @@ -1070,3 +1070,26 @@ pub struct APTUpdateInfo { > > /// URL under which the package's changelog can be retrieved > > pub change_log_url: String, > > } > > + > > +#[api( > > + properties: { > > + "address-list": { > > + description: "List of IPs from node", > > + type: Array, > > + items: { > > + description: "CIDR", > > + type: String, > > + }, > > + }, > > +})] > > +#[derive(Serialize, Deserialize)] > > +#[serde(rename_all = "kebab-case")] > > +/// Necessary information for adding a remote > > +pub struct DataStoreInfo { > > + /// Name of the datastore > > + pub name: String, > > + /// Available IP addresses from the node > > + pub address_list: Vec, > > + /// x509 fingerprint of the node > > + pub fingerprint: String, > > +} > > -- > > 2.20.1 > > > > > > _______________________________________________ > > pbs-devel mailing list > > pbs-devel@lists.proxmox.com > > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel > > > > > > > > > _______________________________________________ > pbs-devel mailing list > pbs-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel > >