Re: partially-applied: [PATCH proxmox{-backup,,-datacenter-manager} v7 00/11] token-shadow: reduce api token verification overhead

[Samuel Rufinatscha <s.rufinatscha@proxmox.com>]

On 3/19/26 1:25 PM, Fabian Grünbichler wrote:
> On March 12, 2026 11:36 am, Samuel Rufinatscha wrote:
>> Hi,
>>
>> [..]
>>
>> Patch summary
>>
>> pbs-config:
>> 0001 – pbs-config: add token.shadow generation to ConfigVersionCache
>> 0002 – pbs-config: cache verified API token secrets
>> 0003 – pbs-config: invalidate token-secret cache on token.shadow
>> changes
>> 0004 – pbs-config: add TTL window to token-secret cache
> 
> applied these, with some follow-ups as discussed off-list
>

Thanks again for applying these and for the provided follow-ups.

>> proxmox-access-control:
>> 0005 – access-control: extend AccessControlConfig for token.shadow invalidation
>> 0006 – access-control: cache verified API token secrets
>> 0007 – access-control: invalidate token-secret cache on token.shadow changes
>> 0008 – access-control: add TTL window to token-secret cache
>>
>> proxmox-datacenter-manager:
>> 0009 – pdm-config: add token.shadow generation to ConfigVersionCache
>> 0010 – docs: document API token-cache TTL effects
>> 0011 – pdm-config: wire user+acl cache generation
> 
> skipped these for now - I think the split between the traits there makes
> things a bit too intertwined while sort of pretending they are separate.
> we probably would have noticed earlier that things aren't cleanly
> separated if PDM had wired up user.cfg/acl.cfg caching ;)
> 
> we should probably split the two traits completely, instead of nesting:
> - one for the ACL-related parts needed by the UI, guarded by the `acl`
>    feature
> - one for the user.cfg/token.shadow and caching related parts, guarded
>    by the `impl` feature
> 
> with an `init` call each consuming them (or one consuming the acl one,
> and second impl-one consuming both?).
> 
> neither of these traits is used by the product code itself, except for
> implementing them to tell proxmox-access-control about product-specific
> bits, so having two traits allows properly separating the concerns on
> the product side.
> 
> it would probably also make sense to include the follow-ups (which are
> mostly renaming things) to make it easier to at some point switch the
> PBS code over to proxmox-access-control..
>

Fully agree on this, we should really split the traits completely.
Thanks for the summary. This will be adjusted as part of the next
version.

>> Maintainer Notes:
>> * proxmox-access-control trait split: permissions now live in
>>   AccessControlPermissions, and AccessControlConfig now requires
>>   fn permissions(&self) -> &dyn AccessControlPermissions ->
>>   version bump
>> * Renames ConfigVersionCache`s pub user_cache_generation and
>>   increase_user_cache_generation -> version bump
>> * Adds parking_lot::RwLock dependency in PBS and proxmox-access-control
>>
>> This version and the version before only incorporate the reviewers'
>> feedback [4][5][6], also please consider Christian's R-b tag [4].
>>
>> [1] https://bugzilla.proxmox.com/show_bug.cgi?id=7017
>> [2] attachment 1767 [1]: Flamegraph showing the proxmox_sys::crypt::verify_crypt_pw stack
>> [3] https://bugzilla.proxmox.com/show_bug.cgi?id=6049
>> [4] https://lore.proxmox.com/pbs-devel/20260121151408.731516-1-s.rufinatscha@proxmox.com/T/#t
>> [5] https://lore.proxmox.com/pbs-devel/20260217111229.78661-1-s.rufinatscha@proxmox.com/T/#t
>> [6] https://lore.proxmox.com/pbs-devel/725687dd-5a35-41ed-af62-6dc9f062cbd4@proxmox.com/T/#t
>>
>> proxmox-backup:
>>
>> Samuel Rufinatscha (4):
>>    pbs-config: add token.shadow generation to ConfigVersionCache
>>    pbs-config: cache verified API token secrets
>>    pbs-config: invalidate token-secret cache on token.shadow changes
>>    pbs-config: add TTL window to token secret cache
>>
>>   Cargo.toml                             |   1 +
>>   docs/user-management.rst               |   4 +
>>   pbs-config/Cargo.toml                  |   1 +
>>   pbs-config/src/config_version_cache.rs |  18 ++
>>   pbs-config/src/token_shadow.rs         | 314 ++++++++++++++++++++++++-
>>   5 files changed, 335 insertions(+), 3 deletions(-)
>>
>>
>> proxmox:
>>
>> Samuel Rufinatscha (4):
>>    proxmox-access-control: split AccessControlConfig and add token.shadow
>>      gen
>>    proxmox-access-control: cache verified API token secrets
>>    proxmox-access-control: invalidate token-secret cache on token.shadow
>>      changes
>>    proxmox-access-control: add TTL window to token secret cache
>>
>>   Cargo.toml                                 |   1 +
>>   proxmox-access-control/Cargo.toml          |   1 +
>>   proxmox-access-control/src/acl.rs          |  10 +-
>>   proxmox-access-control/src/init.rs         | 113 ++++++--
>>   proxmox-access-control/src/token_shadow.rs | 315 ++++++++++++++++++++-
>>   5 files changed, 413 insertions(+), 27 deletions(-)
>>
>>
>> proxmox-datacenter-manager:
>>
>> Samuel Rufinatscha (3):
>>    pdm-config: implement token.shadow generation
>>    docs: document API token-cache TTL effects
>>    pdm-config: wire user+acl cache generation
>>
>>   cli/admin/src/main.rs                      |  2 +-
>>   docs/access-control.rst                    |  4 +++
>>   lib/pdm-api-types/src/acl.rs               |  4 +--
>>   lib/pdm-config/Cargo.toml                  |  1 +
>>   lib/pdm-config/src/access_control.rs       | 31 ++++++++++++++++++++
>>   lib/pdm-config/src/config_version_cache.rs | 34 +++++++++++++++++-----
>>   lib/pdm-config/src/lib.rs                  |  2 ++
>>   server/src/acl.rs                          |  3 +-
>>   ui/src/main.rs                             | 10 ++++++-
>>   9 files changed, 77 insertions(+), 14 deletions(-)
>>   create mode 100644 lib/pdm-config/src/access_control.rs
>>
>>
>> Summary over all repositories:
>>    19 files changed, 825 insertions(+), 44 deletions(-)
>>
>> -- 
>> Generated by git-murpp 0.8.1
>>
>>
>>
>>
>>