[pbs-devel] [PATCH v3 proxmox-backup 13/33] config: acl: allow namespace components for remote datastores
Christian Ebner
c.ebner at proxmox.com
Mon Oct 14 10:18:04 CEST 2024
On 10/10/24 16:49, Fabian Grünbichler wrote:
> On September 12, 2024 4:33 pm, Christian Ebner wrote:
>> Extend the component limit for ACL paths of `remote` to include
>> possible namespace components.
>>
>> This allows to limit the permissions for sync jobs in push direction
>> to a namespace subset on the remote datastore.
>>
>> Signed-off-by: Christian Ebner <c.ebner at proxmox.com>
>> ---
>> changes since version 2:
>> - not present in previous version
>>
>> pbs-config/src/acl.rs | 5 ++++-
>> 1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/pbs-config/src/acl.rs b/pbs-config/src/acl.rs
>> index 6b6500f34..5177e22f0 100644
>> --- a/pbs-config/src/acl.rs
>> +++ b/pbs-config/src/acl.rs
>> @@ -89,10 +89,13 @@ pub fn check_acl_path(path: &str) -> Result<(), Error> {
>> }
>> }
>> "remote" => {
>> - // /remote/{remote}/{store}
>> + // /remote/{remote}/{store}/{namespace}
>> if components_len <= 3 {
>> return Ok(());
>> }
>> + if components_len > 3 && components_len <= 3 + pbs_api_types::MAX_NAMESPACE_DEPTH {
>> + return Ok(());
>> + }
>
> these two ifs can just be combined into a single one with
>
> components_len <= 3 + pbs_api_types::MAX_NAMESPACE_DEPTH
>
> as condition. the same applies to the corresponding variant shifted by 1
> for local datastores/namespaces.
Ack, will combine these and do the same for the datastore as well.
>
>> }
>> "system" => {
>> if components_len == 1 {
>> --
>> 2.39.2
>>
>>
>>
>> _______________________________________________
>> pbs-devel mailing list
>> pbs-devel at lists.proxmox.com
>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>>
>>
>>
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>
>
More information about the pbs-devel
mailing list