From: Samuel Rufinatscha <s.rufinatscha@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox-datacenter-manager v8 1/3] pdm-config: implement access control backend hooks
Date: Thu, 9 Apr 2026 17:54:27 +0200 [thread overview]
Message-ID: <20260409155437.312760-8-s.rufinatscha@proxmox.com> (raw)
In-Reply-To: <20260409155437.312760-1-s.rufinatscha@proxmox.com>
Implement AccessControlBackend in pdm-config and move
init_user_config() there from the ACL config in pdm-api-types.
Update server and admin initialization to pass ACL config and backend
separately.
Signed-off-by: Samuel Rufinatscha <s.rufinatscha@proxmox.com>
---
cli/admin/src/main.rs | 3 ++-
lib/pdm-api-types/src/acl.rs | 26 +------------------------
lib/pdm-config/Cargo.toml | 1 +
lib/pdm-config/src/access_control.rs | 29 ++++++++++++++++++++++++++++
lib/pdm-config/src/lib.rs | 2 ++
server/src/acl.rs | 10 ++++++++--
6 files changed, 43 insertions(+), 28 deletions(-)
create mode 100644 lib/pdm-config/src/access_control.rs
diff --git a/cli/admin/src/main.rs b/cli/admin/src/main.rs
index f698fa2..d51f211 100644
--- a/cli/admin/src/main.rs
+++ b/cli/admin/src/main.rs
@@ -18,8 +18,9 @@ fn main() {
let priv_user = pdm_config::priv_user().expect("cannot get privileged user");
proxmox_product_config::init(api_user, priv_user);
- proxmox_access_control::init::init(
+ proxmox_access_control::init::init_separate(
&pdm_api_types::AccessControlConfig,
+ &pdm_config::AccessControlBackend,
pdm_buildcfg::configdir!("/access"),
)
.expect("failed to setup access control config");
diff --git a/lib/pdm-api-types/src/acl.rs b/lib/pdm-api-types/src/acl.rs
index 405982a..0868f3d 100644
--- a/lib/pdm-api-types/src/acl.rs
+++ b/lib/pdm-api-types/src/acl.rs
@@ -2,17 +2,15 @@ use std::collections::HashMap;
use std::str::FromStr;
use std::sync::LazyLock;
-use anyhow::{format_err, Context, Error};
+use anyhow::{format_err, Error};
use const_format::concatcp;
use serde::de::{value, IntoDeserializer};
use serde::{Deserialize, Serialize};
-use proxmox_access_control::types::User;
use proxmox_auth_api::types::Authid;
use proxmox_lang::constnamedbitmap;
use proxmox_schema::api_types::SAFE_ID_REGEX_STR;
use proxmox_schema::{api, const_regex, ApiStringFormat, BooleanSchema, Schema, StringSchema};
-use proxmox_section_config::SectionConfigData;
const_regex! {
pub ACL_PATH_REGEX = concatcp!(r"^(?:/|", r"(?:/", SAFE_ID_REGEX_STR, ")+", r")$");
@@ -224,28 +222,6 @@ impl proxmox_access_control::init::AccessControlConfig for AccessControlConfig {
Some("Administrator")
}
- fn init_user_config(&self, config: &mut SectionConfigData) -> Result<(), Error> {
- if !config.sections.contains_key("root@pam") {
- config
- .set_data(
- "root@pam",
- "user",
- User {
- userid: "root@pam".parse().expect("invalid user id"),
- comment: Some("Superuser".to_string()),
- enable: None,
- expire: None,
- firstname: None,
- lastname: None,
- email: None,
- },
- )
- .context("failed to insert default user into user config")?
- }
-
- Ok(())
- }
-
fn acl_audit_privileges(&self) -> u64 {
PRIV_ACCESS_AUDIT
}
diff --git a/lib/pdm-config/Cargo.toml b/lib/pdm-config/Cargo.toml
index d39c2ad..19781d2 100644
--- a/lib/pdm-config/Cargo.toml
+++ b/lib/pdm-config/Cargo.toml
@@ -13,6 +13,7 @@ once_cell.workspace = true
openssl.workspace = true
serde.workspace = true
+proxmox-access-control.workspace = true
proxmox-config-digest = { workspace = true, features = [ "openssl" ] }
proxmox-http = { workspace = true, features = [ "http-helpers" ] }
proxmox-ldap = { workspace = true, features = [ "types" ]}
diff --git a/lib/pdm-config/src/access_control.rs b/lib/pdm-config/src/access_control.rs
new file mode 100644
index 0000000..0c17c99
--- /dev/null
+++ b/lib/pdm-config/src/access_control.rs
@@ -0,0 +1,29 @@
+use anyhow::{Context, Error};
+use proxmox_access_control::types::User;
+use proxmox_section_config::SectionConfigData;
+
+pub struct AccessControlBackend;
+
+impl proxmox_access_control::init::AccessControlBackend for AccessControlBackend {
+ fn init_user_config(&self, config: &mut SectionConfigData) -> Result<(), Error> {
+ if !config.sections.contains_key("root@pam") {
+ config
+ .set_data(
+ "root@pam",
+ "user",
+ User {
+ userid: "root@pam".parse().expect("invalid user id"),
+ comment: Some("Superuser".to_string()),
+ enable: None,
+ expire: None,
+ firstname: None,
+ lastname: None,
+ email: None,
+ },
+ )
+ .context("failed to insert default user into user config")?
+ }
+
+ Ok(())
+ }
+}
diff --git a/lib/pdm-config/src/lib.rs b/lib/pdm-config/src/lib.rs
index 4c49054..6e5e760 100644
--- a/lib/pdm-config/src/lib.rs
+++ b/lib/pdm-config/src/lib.rs
@@ -9,6 +9,8 @@ pub mod remotes;
pub mod setup;
pub mod views;
+mod access_control;
+pub use access_control::AccessControlBackend;
mod config_version_cache;
pub use config_version_cache::ConfigVersionCache;
diff --git a/server/src/acl.rs b/server/src/acl.rs
index f421814..4150ef4 100644
--- a/server/src/acl.rs
+++ b/server/src/acl.rs
@@ -1,7 +1,13 @@
pub(crate) fn init() {
static ACCESS_CONTROL_CONFIG: pdm_api_types::AccessControlConfig =
pdm_api_types::AccessControlConfig;
+ static ACCESS_CONTROL_BACKEND: pdm_config::AccessControlBackend =
+ pdm_config::AccessControlBackend;
- proxmox_access_control::init::init(&ACCESS_CONTROL_CONFIG, pdm_buildcfg::configdir!("/access"))
- .expect("failed to setup access control config");
+ proxmox_access_control::init::init_separate(
+ &ACCESS_CONTROL_CONFIG,
+ &ACCESS_CONTROL_BACKEND,
+ pdm_buildcfg::configdir!("/access"),
+ )
+ .expect("failed to setup access control config");
}
--
2.47.3
next prev parent reply other threads:[~2026-04-09 15:54 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 15:54 [PATCH proxmox{,-datacenter-manager} v8 0/9] token-shadow: reduce api token verification overhead Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 1/6] token shadow: split AccessControlConfig and add token.shadow generation Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 2/6] token shadow: cache verified API token secrets Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 3/6] token shadow: invalidate token-secret cache on token.shadow changes Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 4/6] token shadow: add TTL window to token secret cache Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 5/6] token shadow: inline set_secret fn Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox v8 6/6] token shadow: deduplicate more code into apply_api_mutation Samuel Rufinatscha
2026-04-09 15:54 ` Samuel Rufinatscha [this message]
2026-04-09 15:54 ` [PATCH proxmox-datacenter-manager v8 2/3] pdm-config: wire user and ACL cache generation Samuel Rufinatscha
2026-04-09 15:54 ` [PATCH proxmox-datacenter-manager v8 3/3] pdm-config: wire token.shadow generation Samuel Rufinatscha
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409155437.312760-8-s.rufinatscha@proxmox.com \
--to=s.rufinatscha@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox