From: Christian Ebner <c.ebner@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup 3/3] config: s3: relax permissions to acl subpaths of '/system/s3-endpoint'
Date: Mon, 28 Jul 2025 09:59:57 +0200 [thread overview]
Message-ID: <20250728075957.314427-4-c.ebner@proxmox.com> (raw)
In-Reply-To: <20250728075957.314427-1-c.ebner@proxmox.com>
Currently the permissions to read/list s3 endpoint configurations
require Sys.Audit, editing requires Sys.Modiy, both on the root path.
Switch the privileges to be less restrictive by allowing to set the
permissions on `/system/s3-endpoint/{id}` or `/system/s3-endpoint`.
By this, the permissions can be controlled with more fine tuning,
e.g. allowing to limit read access to a subset of the configured s3
endpoints.
Note, this is independent from the permissions to backup/modify
contents on a datastore. A user does not need to read the s3 endpoint
configuration to perform datastore operations.
Signed-off-by: Christian Ebner <c.ebner@proxmox.com>
---
src/api2/config/s3.rs | 30 ++++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/src/api2/config/s3.rs b/src/api2/config/s3.rs
index 04b801028..e4804eb72 100644
--- a/src/api2/config/s3.rs
+++ b/src/api2/config/s3.rs
@@ -11,10 +11,11 @@ use proxmox_s3_client::{
use proxmox_schema::{api, param_bail, ApiType};
use pbs_api_types::{
- DataStoreConfig, DatastoreBackendConfig, DatastoreBackendType, JOB_ID_SCHEMA, PRIV_SYS_AUDIT,
- PRIV_SYS_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA,
+ Authid, DataStoreConfig, DatastoreBackendConfig, DatastoreBackendType, JOB_ID_SCHEMA,
+ PRIV_SYS_AUDIT, PRIV_SYS_MODIFY, PROXMOX_CONFIG_DIGEST_SCHEMA,
};
use pbs_config::s3::{self, S3_CFG_TYPE_ID};
+use pbs_config::CachedUserInfo;
#[api(
input: {
@@ -26,7 +27,8 @@ use pbs_config::s3::{self, S3_CFG_TYPE_ID};
items: { type: S3ClientConfigWithoutSecret },
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+ permission: &Permission::Anybody,
+ description: "List configured s3 endpoints filtered by Sys.Audit privileges",
},
)]
/// List all s3 client configurations.
@@ -34,8 +36,20 @@ pub fn list_s3_client_config(
_param: Value,
rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<S3ClientConfigWithoutSecret>, Error> {
+ let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
+ let user_info = CachedUserInfo::new()?;
+
let (config, digest) = s3::config()?;
- let list = config.convert_to_typed_array(S3_CFG_TYPE_ID)?;
+ let list: Vec<S3ClientConfigWithoutSecret> = config.convert_to_typed_array(S3_CFG_TYPE_ID)?;
+
+ let list = list
+ .into_iter()
+ .filter(|endpoint| {
+ let privs = user_info.lookup_privs(&auth_id, &["system", "s3-endpoint", &endpoint.id]);
+ privs & PRIV_SYS_AUDIT != 0
+ })
+ .collect();
+
rpcenv["digest"] = hex::encode(digest).into();
Ok(list)
@@ -59,7 +73,7 @@ pub fn list_s3_client_config(
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&["system", "s3-endpoint"], PRIV_SYS_MODIFY, false),
},
)]
/// Create a new s3 client configuration.
@@ -97,7 +111,7 @@ pub fn create_s3_client_config(
},
returns: { type: S3ClientConfigWithoutSecret },
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+ permission: &Permission::Privilege(&["system", "s3-endpoint", "{id}"], PRIV_SYS_AUDIT, false),
},
)]
/// Read an s3 client configuration.
@@ -158,7 +172,7 @@ pub enum DeletableProperty {
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&["system", "s3-endpoint", "{id}"], PRIV_SYS_MODIFY, false),
},
)]
/// Update an s3 client configuration.
@@ -244,7 +258,7 @@ pub fn update_s3_client_config(
},
},
access: {
- permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+ permission: &Permission::Privilege(&["system", "s3-endpoint", "{id}"], PRIV_SYS_MODIFY, false),
},
)]
/// Remove an s3 client configuration.
--
2.47.2
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-07-28 7:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-28 7:59 [pbs-devel] [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths Christian Ebner
2025-07-28 7:59 ` [pbs-devel] [PATCH proxmox-backup 1/3] pbs-config: acls: add s3-endpoint as valid 'system' subpath Christian Ebner
2025-07-28 7:59 ` [pbs-devel] [PATCH proxmox-backup 2/3] ui: expose s3-endpoint as acl subpath for 'system' Christian Ebner
2025-07-28 7:59 ` Christian Ebner [this message]
2025-08-05 13:12 ` [pbs-devel] applied: [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250728075957.314427-4-c.ebner@proxmox.com \
--to=c.ebner@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox