[pbs-devel] [RFC proxmox-backup 17/24] api types: define remote permissions and roles for push sync

Christian Ebner c.ebner at proxmox.com
Mon Jul 15 12:15:55 CEST 2024 

Adding the privileges to allow backup and prune on remote targets, to
be used for sync jobs in push direction.

Also adds a dedicated role collecting the required privileges.

Signed-off-by: Christian Ebner <c.ebner at proxmox.com>
---
 pbs-api-types/src/acl.rs | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/pbs-api-types/src/acl.rs b/pbs-api-types/src/acl.rs
index ef6398629..f644029fa 100644
--- a/pbs-api-types/src/acl.rs
+++ b/pbs-api-types/src/acl.rs
@@ -58,6 +58,12 @@ constnamedbitmap! {
         PRIV_REMOTE_MODIFY("Remote.Modify");
         /// Remote.Read allows reading data from a configured `Remote`
         PRIV_REMOTE_READ("Remote.Read");
+        /// Remote.Backup allows Remote.Read and creating new snapshots on a configured `Remote`,
+        /// but also requires backup ownership
+        PRIV_REMOTE_BACKUP("Remote.Backup");
+        /// Remote.Prune allows deleting snapshots on a configured `Remote`,
+        /// but also requires backup ownership
+        PRIV_REMOTE_PRUNE("Remote.Prune");
 
         /// Sys.Console allows access to the system's console
         PRIV_SYS_CONSOLE("Sys.Console");
@@ -151,6 +157,7 @@ pub const ROLE_REMOTE_AUDIT: u64 = 0
 pub const ROLE_REMOTE_ADMIN: u64 = 0
     | PRIV_REMOTE_AUDIT
     | PRIV_REMOTE_MODIFY
+    | PRIV_REMOTE_BACKUP
     | PRIV_REMOTE_READ;
 
 #[rustfmt::skip]
@@ -160,6 +167,14 @@ pub const ROLE_REMOTE_SYNC_OPERATOR: u64 = 0
     | PRIV_REMOTE_AUDIT
     | PRIV_REMOTE_READ;
 
+#[rustfmt::skip]
+#[allow(clippy::identity_op)]
+/// Remote.SyncPushOperator can do read, backup and prune on the remote.
+pub const ROLE_REMOTE_SYNC_PUSH_OPERATOR: u64 = 0
+    | PRIV_REMOTE_AUDIT
+    | PRIV_REMOTE_BACKUP
+    | PRIV_REMOTE_READ;
+
 #[rustfmt::skip]
 #[allow(clippy::identity_op)]
 /// Tape.Audit can audit the tape backup configuration and media content
@@ -225,6 +240,8 @@ pub enum Role {
     RemoteAdmin = ROLE_REMOTE_ADMIN,
     /// Syncronisation Opertator
     RemoteSyncOperator = ROLE_REMOTE_SYNC_OPERATOR,
+    /// Syncronisation Opertator (push direction)
+    RemoteSyncPushOperator = ROLE_REMOTE_SYNC_PUSH_OPERATOR,
     /// Tape Auditor
     TapeAudit = ROLE_TAPE_AUDIT,
     /// Tape Administrator
-- 
2.39.2

More information about the pbs-devel mailing list