[pbs-devel] [PATCH backup/proxmox-backup 0/4] fix #5463: add optional consent banner before login
Thomas Lamprecht
t.lamprecht at proxmox.com
Thu May 23 11:24:47 CEST 2024
Am 23/05/2024 um 09:51 schrieb Dominik Csapak:
> On 5/22/24 17:31, Thomas Lamprecht wrote:
>> This is currently still missing any actual barrier as it's all frontend,
>> shouldn't there be a cookie that is checked on the backend side if a
>> consent.txt exist? If this specific consent type (RMF AC-8 for US gov)
>> doesn't need that, it might be worth to replace the generic text box
>> with a type selection for that, we could always add a "custom" type
>> that takes a generic text and extent that with an option about how
>> strict it should be checked, if we get this now.
>
> when checking https://csf.tools/reference/nist-sp-800-53/r5/ac/ac-8/
> (not the "official" document, but very close , the original can be downloaded
> in docx form here:
> https://csrc.nist.rip/projects/risk-management/about-rmf/assess-step/assessment-cases-download-page)
> it does not seem to be necessary for any cookie handling
> since it just wants the disclaimer to be displayed before login
ack, thanks for the links.
>
>>
>> And how should API calls made using API tokens get handled, should they
>> have a header signalling consent or not? If, should there be a set of
>> standard consents that one can explicitly consent too? As a blanket
>> consent to an unknown text would not be of much use.
>
>
> also it says that this is only for human interaction, so any api
> access etc. is exempt IIUC
So pretty much a worthless "keep out" sign [0], can one be even
enterprise ready without those? ;-)
[0]: https://i.imgur.com/mSHi8.jpeg
Anyhow, fine by me, but I then still would prefer having this saved
as structured data with an explicit type so that we can easily extend
this with an option for actually enforcing such a consent, if ever
requested.
Maybe we can even add it as encoded text to an existing config, for PVE
the datacenter one would be a good fit, for PMG with also have a cluster
wide one IIRC and for PBS we could just add it to the node.cfg (and cache
inside the http daemon).
More information about the pbs-devel
mailing list