From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 3C9131FF165 for ; Thu, 23 Oct 2025 13:32:35 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 851708520; Thu, 23 Oct 2025 13:33:02 +0200 (CEST) Mime-Version: 1.0 Date: Thu, 23 Oct 2025 13:32:59 +0200 Message-Id: To: "Dominik Csapak" X-Mailer: aerc 0.20.0 References: <20251022131126.358790-1-s.sterz@proxmox.com> <20251022131126.358790-5-s.sterz@proxmox.com> <6ba2fbad-9058-4263-b98d-a1255234d7e9@proxmox.com> In-Reply-To: <6ba2fbad-9058-4263-b98d-a1255234d7e9@proxmox.com> From: "Shannon Sterz" X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1761219171331 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.056 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pdm-devel] [PATCH proxmox v2 4/4] access-control: allow reading all acls of the current authid X-BeenThere: pdm-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Datacenter Manager development discussion Cc: Proxmox Datacenter Manager development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pdm-devel-bounces@lists.proxmox.com Sender: "pdm-devel" On Thu Oct 23, 2025 at 11:31 AM CEST, Dominik Csapak wrote: > High level question: > > in proxmox-backup we already have a 'list_permissions' api call > > would that (or something like that) not be better suited for the purpose? > (i don't know if it would be easy to refactor that api call here; > probably not because it's pbs specific) > > since with this api call, we'd only have the 'raw' acl entries and > must to calculate things like propagation, etc. on the frontend? > > Or am I wrong with that assumption? the endpoint also exists in pdm, but there are couple of things that prevented me from using it: - it's not yet in a common crate making it more brittle to use in yew-comp. though that can of course be changed easily. - it gives you permissions, not roles. the acl tree, however, works with roles. the idea behind this patch series was to re-use the logic of the acl tree as much as possible. using permissions instead of roles would mean we: - either need to implement another datastructure on the front-end that queries something like an acl tree, but with permissions. duplicating quite a bit of logic and also being more error prone. we still need to traverse the tree after all to make sure that we have the correct path. - adapting the acl tree to work with permissions directly as well. this would mean quite a bit of churn in the acl tree, we need to make sure that none of the current use sites break. - the performance impact of doing it this way wasn't to big in my testing. the actual acl tree in the front-end only consists of the users roles. so it isn't too big by itself. i doubt the propagation logic by itself costs us that much, as it often can just act as a short-circuit (i.e. meaning we return immediately if a role propagates). i can however look into stress testing this a bit more to see if it would cause issues given a very complex acl tree for one specific user. > On 10/22/25 3:11 PM, Shannon Sterz wrote: >> adds a parameter to the `API_METHOD_READ_ACL` endpoint to allow >> listing all ACL entries of the currently authenticated Authid. >> allowing a user to see their own ACLs does not really exposes any >> additional confidential information. however, being able to query this >> information allows us, for example, to adapt ui components to a users >> capabilities. >> >> Signed-off-by: Shannon Sterz >> --- >> proxmox-access-control/src/api/acl.rs | 37 ++++++++++++++++++++++----- >> 1 file changed, 31 insertions(+), 6 deletions(-) >> >> diff --git a/proxmox-access-control/src/api/acl.rs b/proxmox-access-control/src/api/acl.rs >> index 0194d517..07222939 100644 >> --- a/proxmox-access-control/src/api/acl.rs >> +++ b/proxmox-access-control/src/api/acl.rs >> @@ -23,6 +23,12 @@ use crate::CachedUserInfo; >> optional: true, >> default: false, >> }, >> + "exact-authid": { >> + description: "Whether to return ACL entries for the exact current authid only.", >> + type: bool, >> + optional: true, >> + default: false, >> + } >> }, >> }, >> returns: { >> @@ -34,13 +40,17 @@ use crate::CachedUserInfo; >> }, >> access: { >> permission: &Permission::Anybody, >> - description: "Returns all ACLs if user has sufficient privileges on this endpoint, otherwise it is limited to the user's API tokens.", >> + description: "Returns all ACLs if a user has sufficient privileges on this endpoint. \ >> + Otherwise it is limited to the user's API tokens. However, if `exact-authid` is \ >> + specified, all ACLs of the current Auhtid will be returned, whether the Authid has \ >> + privileges to list other ACLs here or not.", >> }, >> )] >> /// Get ACL entries, can be filter by path. >> pub fn read_acl( >> path: Option, >> exact: bool, >> + exact_authid: bool, >> rpcenv: &mut dyn RpcEnvironment, >> ) -> Result, Error> { >> let auth_id = rpcenv >> @@ -58,7 +68,11 @@ pub fn read_acl( >> ) >> .is_err(); >> >> - let filter = if filter_entries { Some(auth_id) } else { None }; >> + let filter = if filter_entries || exact_authid { >> + Some(auth_id) >> + } else { >> + None >> + }; >> >> let (mut tree, digest) = crate::acl::config()?; >> >> @@ -74,7 +88,13 @@ pub fn read_acl( >> >> rpcenv["digest"] = hex::encode(digest).into(); >> >> - Ok(extract_acl_node_data(node, path.as_deref(), exact, &filter)) >> + Ok(extract_acl_node_data( >> + node, >> + path.as_deref(), >> + exact_authid, >> + exact, >> + &filter, >> + )) >> } >> >> #[api( >> @@ -241,7 +261,8 @@ pub fn update_acl( >> fn extract_acl_node_data( >> node: &AclTreeNode, >> path: Option<&str>, >> - exact: bool, >> + exact_authid: bool, >> + exact_path: bool, >> auth_id_filter: &Option, >> ) -> Vec { >> // tokens can't have tokens, so we can early return >> @@ -259,7 +280,11 @@ fn extract_acl_node_data( >> >> for (user, roles) in &node.users { >> if let Some(auth_id_filter) = auth_id_filter { >> - if !user.is_token() || user.user() != auth_id_filter.user() { >> + if exact_authid { >> + if user != auth_id_filter { >> + continue; >> + } >> + } else if !user.is_token() || user.user() != auth_id_filter.user() { >> continue; >> } >> } >> @@ -291,7 +316,7 @@ fn extract_acl_node_data( >> } >> } >> >> - if !exact { >> + if !exact_path { >> nodes.extend( >> node.children >> .iter() _______________________________________________ pdm-devel mailing list pdm-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel