From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id A99341FF2D5 for ; Mon, 15 Jul 2024 12:16:50 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0F8F537FF1; Mon, 15 Jul 2024 12:17:19 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Date: Mon, 15 Jul 2024 12:15:55 +0200 Message-Id: <20240715101602.274244-18-c.ebner@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240715101602.274244-1-c.ebner@proxmox.com> References: <20240715101602.274244-1-c.ebner@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.021 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [RFC proxmox-backup 17/24] api types: define remote permissions and roles for push sync X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" Adding the privileges to allow backup and prune on remote targets, to be used for sync jobs in push direction. Also adds a dedicated role collecting the required privileges. Signed-off-by: Christian Ebner --- pbs-api-types/src/acl.rs | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pbs-api-types/src/acl.rs b/pbs-api-types/src/acl.rs index ef6398629..f644029fa 100644 --- a/pbs-api-types/src/acl.rs +++ b/pbs-api-types/src/acl.rs @@ -58,6 +58,12 @@ constnamedbitmap! { PRIV_REMOTE_MODIFY("Remote.Modify"); /// Remote.Read allows reading data from a configured `Remote` PRIV_REMOTE_READ("Remote.Read"); + /// Remote.Backup allows Remote.Read and creating new snapshots on a configured `Remote`, + /// but also requires backup ownership + PRIV_REMOTE_BACKUP("Remote.Backup"); + /// Remote.Prune allows deleting snapshots on a configured `Remote`, + /// but also requires backup ownership + PRIV_REMOTE_PRUNE("Remote.Prune"); /// Sys.Console allows access to the system's console PRIV_SYS_CONSOLE("Sys.Console"); @@ -151,6 +157,7 @@ pub const ROLE_REMOTE_AUDIT: u64 = 0 pub const ROLE_REMOTE_ADMIN: u64 = 0 | PRIV_REMOTE_AUDIT | PRIV_REMOTE_MODIFY + | PRIV_REMOTE_BACKUP | PRIV_REMOTE_READ; #[rustfmt::skip] @@ -160,6 +167,14 @@ pub const ROLE_REMOTE_SYNC_OPERATOR: u64 = 0 | PRIV_REMOTE_AUDIT | PRIV_REMOTE_READ; +#[rustfmt::skip] +#[allow(clippy::identity_op)] +/// Remote.SyncPushOperator can do read, backup and prune on the remote. +pub const ROLE_REMOTE_SYNC_PUSH_OPERATOR: u64 = 0 + | PRIV_REMOTE_AUDIT + | PRIV_REMOTE_BACKUP + | PRIV_REMOTE_READ; + #[rustfmt::skip] #[allow(clippy::identity_op)] /// Tape.Audit can audit the tape backup configuration and media content @@ -225,6 +240,8 @@ pub enum Role { RemoteAdmin = ROLE_REMOTE_ADMIN, /// Syncronisation Opertator RemoteSyncOperator = ROLE_REMOTE_SYNC_OPERATOR, + /// Syncronisation Opertator (push direction) + RemoteSyncPushOperator = ROLE_REMOTE_SYNC_PUSH_OPERATOR, /// Tape Auditor TapeAudit = ROLE_TAPE_AUDIT, /// Tape Administrator -- 2.39.2 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel