From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 5B6081FF16B for ; Thu, 17 Oct 2024 15:27:15 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0326EFFFC; Thu, 17 Oct 2024 15:27:46 +0200 (CEST) From: Christian Ebner To: pbs-devel@lists.proxmox.com Date: Thu, 17 Oct 2024 15:26:52 +0200 Message-Id: <20241017132716.385234-8-c.ebner@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241017132716.385234-1-c.ebner@proxmox.com> References: <20241017132716.385234-1-c.ebner@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.026 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH v4 proxmox 07/31] api types: define remote permissions and roles for push sync X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" Adding the privileges to allow backup, namespace creation and prune on remote targets, to be used for sync jobs in push direction. Also adds dedicated roles setting the required privileges. Signed-off-by: Christian Ebner --- changes since version 3: - adapt to reworked priv check, drop Remote.DatastoreModify role pbs-api-types/src/acl.rs | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/pbs-api-types/src/acl.rs b/pbs-api-types/src/acl.rs index a8ae57a9d..86560f7f6 100644 --- a/pbs-api-types/src/acl.rs +++ b/pbs-api-types/src/acl.rs @@ -58,6 +58,12 @@ constnamedbitmap! { PRIV_REMOTE_MODIFY("Remote.Modify"); /// Remote.Read allows reading data from a configured `Remote` PRIV_REMOTE_READ("Remote.Read"); + /// Remote.DatastoreBackup allows creating new snapshots on remote datastores + PRIV_REMOTE_DATASTORE_BACKUP("Remote.DatastoreBackup"); + /// Remote.DatastoreModify allows to modify remote datastores + PRIV_REMOTE_DATASTORE_MODIFY("Remote.DatastoreModify"); + /// Remote.DatastorePrune allows deleting snapshots on remote datastores + PRIV_REMOTE_DATASTORE_PRUNE("Remote.DatastorePrune"); /// Sys.Console allows access to the system's console PRIV_SYS_CONSOLE("Sys.Console"); @@ -160,6 +166,21 @@ pub const ROLE_REMOTE_SYNC_OPERATOR: u64 = 0 | PRIV_REMOTE_AUDIT | PRIV_REMOTE_READ; +#[rustfmt::skip] +#[allow(clippy::identity_op)] +/// Remote.SyncPushOperator can do read and push snapshots to the remote. +pub const ROLE_REMOTE_SYNC_PUSH_OPERATOR: u64 = 0 + | PRIV_REMOTE_AUDIT + | PRIV_REMOTE_READ + | PRIV_REMOTE_DATASTORE_MODIFY + | PRIV_REMOTE_DATASTORE_BACKUP; + +#[rustfmt::skip] +#[allow(clippy::identity_op)] +/// Remote.DatastorePrune can prune snapshots, groups and namespaces on the remote. +pub const ROLE_REMOTE_DATASTORE_PRUNE: u64 = 0 + | PRIV_REMOTE_DATASTORE_PRUNE; + #[rustfmt::skip] #[allow(clippy::identity_op)] /// Tape.Audit can audit the tape backup configuration and media content @@ -225,6 +246,10 @@ pub enum Role { RemoteAdmin = ROLE_REMOTE_ADMIN, /// Synchronization Operator RemoteSyncOperator = ROLE_REMOTE_SYNC_OPERATOR, + /// Synchronisation Operator (push direction) + RemoteSyncPushOperator = ROLE_REMOTE_SYNC_PUSH_OPERATOR, + /// Remote Datastore Prune + RemoteDatastorePrune = ROLE_REMOTE_DATASTORE_PRUNE, /// Tape Auditor TapeAudit = ROLE_TAPE_AUDIT, /// Tape Administrator -- 2.39.5 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel