From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 19DAC1FF13F for ; Thu, 09 Apr 2026 17:54:35 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C8BCBAA36; Thu, 9 Apr 2026 17:55:18 +0200 (CEST) From: Samuel Rufinatscha To: pbs-devel@lists.proxmox.com Subject: [PATCH proxmox{,-datacenter-manager} v8 0/9] token-shadow: reduce api token verification overhead Date: Thu, 9 Apr 2026 17:54:20 +0200 Message-ID: <20260409155437.312760-1-s.rufinatscha@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1775750013503 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.234 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [main.rs,lib.rs,proxmox.com] Message-ID-Hash: W2RQKYO6ODZZGART5DI74JYEBMHI3OZM X-Message-ID-Hash: W2RQKYO6ODZZGART5DI74JYEBMHI3OZM X-MailFrom: s.rufinatscha@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hi, This series mirrors the token secret caching approach from PBS [0] for PDM through proxmox-access-control. Since PDM implements permissions in pdm-api-types and cache/generation hooks in pdm-config, the trait needed to be split. This series introduces a separate AccessControlBackend trait (gated behind cfg(feature = "impl")) for the cache and token.shadow generation hooks, and moves init_user_config there as well. PDM wires the backend via init_separate(), which accepts the two traits independently. This series also wires the existing but previously not wired user and ACL generation. Testing I verified that this series mirrors the already applied PBS patches including follow-ups by comparing patch diffs. Functionally-wise, I tested if: * valid tokens authenticate correctly when used in API requests * invalid secrets are rejected as before * generating a new token secret via dashboard (create token for user, regenerate existing secret) works and authenticates correctly * disabling the token or removing ACL permissions stops accepting requests Patch 1 - 6 generally mirror the already applied PBS patches in proxmox-access-control including follow-ups (thanks @Fabian). Patch 7 - 9 focus on PDM its AccessControlBackend implementation and wires the cache generations. Maintainer Notes: * proxmox-access-control trait split -> version bump * Renames ConfigVersionCache`s pub user_cache_generation and increase_user_cache_generation -> version bump * Adds parking_lot::RwLock dependency in proxmox-access-control [0] https://lore.proxmox.com/pbs-devel/20260312103708.125282-1-s.rufinatscha@proxmox.com/T/#t proxmox: Samuel Rufinatscha (6): token shadow: split AccessControlConfig and add token.shadow generation token shadow: cache verified API token secrets token shadow: invalidate token-secret cache on token.shadow changes token shadow: add TTL window to token secret cache token shadow: inline set_secret fn token shadow: deduplicate more code into apply_api_mutation Cargo.toml | 1 + proxmox-access-control/Cargo.toml | 1 + proxmox-access-control/src/acl.rs | 4 +- .../src/cached_user_info.rs | 4 +- proxmox-access-control/src/init.rs | 113 ++++-- proxmox-access-control/src/lib.rs | 2 +- proxmox-access-control/src/token_shadow.rs | 324 ++++++++++++++++-- proxmox-access-control/src/user.rs | 6 +- 8 files changed, 396 insertions(+), 59 deletions(-) proxmox-datacenter-manager: Samuel Rufinatscha (3): pdm-config: implement access control backend hooks pdm-config: wire user and ACL cache generation pdm-config: wire token.shadow generation cli/admin/src/main.rs | 3 +- docs/access-control.rst | 4 ++ lib/pdm-api-types/src/acl.rs | 26 +---------- lib/pdm-config/Cargo.toml | 1 + lib/pdm-config/src/access_control.rs | 51 ++++++++++++++++++++++ lib/pdm-config/src/config_version_cache.rs | 34 +++++++++++---- lib/pdm-config/src/lib.rs | 2 + server/src/acl.rs | 10 ++++- 8 files changed, 95 insertions(+), 36 deletions(-) create mode 100644 lib/pdm-config/src/access_control.rs Summary over all repositories: 16 files changed, 491 insertions(+), 95 deletions(-) -- Generated by git-murpp 0.8.1