[pbs-devel] [PATCH v5 proxmox-backup 07/31] api types: define remote permissions and roles for push sync
Fabian Grünbichler
f.gruenbichler at proxmox.com
Fri Oct 25 12:15:46 CEST 2024
On October 18, 2024 10:42 am, Christian Ebner wrote:
> Adding the privileges to allow backup, namespace creation and prune
> on remote targets, to be used for sync jobs in push direction.
>
> Also adds dedicated roles setting the required privileges.
>
> Signed-off-by: Christian Ebner <c.ebner at proxmox.com>
> ---
> changes since version 4:
> - no changes
>
> changes since version 3:
> - adapt to reworked priv check, drop Remote.DatastoreModify role
>
> pbs-api-types/src/acl.rs | 25 +++++++++++++++++++++++++
> 1 file changed, 25 insertions(+)
>
> diff --git a/pbs-api-types/src/acl.rs b/pbs-api-types/src/acl.rs
> index a8ae57a9d..86560f7f6 100644
> --- a/pbs-api-types/src/acl.rs
> +++ b/pbs-api-types/src/acl.rs
> @@ -58,6 +58,12 @@ constnamedbitmap! {
> PRIV_REMOTE_MODIFY("Remote.Modify");
> /// Remote.Read allows reading data from a configured `Remote`
> PRIV_REMOTE_READ("Remote.Read");
> + /// Remote.DatastoreBackup allows creating new snapshots on remote datastores
> + PRIV_REMOTE_DATASTORE_BACKUP("Remote.DatastoreBackup");
> + /// Remote.DatastoreModify allows to modify remote datastores
> + PRIV_REMOTE_DATASTORE_MODIFY("Remote.DatastoreModify");
> + /// Remote.DatastorePrune allows deleting snapshots on remote datastores
> + PRIV_REMOTE_DATASTORE_PRUNE("Remote.DatastorePrune");
>
> /// Sys.Console allows access to the system's console
> PRIV_SYS_CONSOLE("Sys.Console");
> @@ -160,6 +166,21 @@ pub const ROLE_REMOTE_SYNC_OPERATOR: u64 = 0
> | PRIV_REMOTE_AUDIT
> | PRIV_REMOTE_READ;
>
> +#[rustfmt::skip]
> +#[allow(clippy::identity_op)]
> +/// Remote.SyncPushOperator can do read and push snapshots to the remote.
> +pub const ROLE_REMOTE_SYNC_PUSH_OPERATOR: u64 = 0
> + | PRIV_REMOTE_AUDIT
> + | PRIV_REMOTE_READ
do we need READ here? IMHO REMOTE_DATASTORE_BACKUP implies listing and
reading their own backups. if we don't need it here, we could hand out
push but not pull access..
> + | PRIV_REMOTE_DATASTORE_MODIFY
not sure if we want that there, this is the role that most people will
give to users for pushing, and MODIFY allows creating/removing
namespaces.. for pulling this is handled by the local privs, so we don't
need to differentiate for the remote side, but for pushing we probably
want:
- just push: Audit+Backup, only allows pushing to owned groups or
creating new ones (append-only)
- prune: Prune, allows pushing to owned groups and
removing vanished snapshots or groups, when combined with "just push"
- modify: allows creating/removing namespaces, when combined with "just
push" (implies prune?, this is a sort of power user that can break a
lot of things)
> + | PRIV_REMOTE_DATASTORE_BACKUP;
> +
> +#[rustfmt::skip]
> +#[allow(clippy::identity_op)]
> +/// Remote.DatastorePrune can prune snapshots, groups and namespaces on the remote.
> +pub const ROLE_REMOTE_DATASTORE_PRUNE: u64 = 0
> + | PRIV_REMOTE_DATASTORE_PRUNE;
> +
> #[rustfmt::skip]
> #[allow(clippy::identity_op)]
> /// Tape.Audit can audit the tape backup configuration and media content
> @@ -225,6 +246,10 @@ pub enum Role {
> RemoteAdmin = ROLE_REMOTE_ADMIN,
> /// Synchronization Operator
> RemoteSyncOperator = ROLE_REMOTE_SYNC_OPERATOR,
> + /// Synchronisation Operator (push direction)
> + RemoteSyncPushOperator = ROLE_REMOTE_SYNC_PUSH_OPERATOR,
> + /// Remote Datastore Prune
> + RemoteDatastorePrune = ROLE_REMOTE_DATASTORE_PRUNE,
> /// Tape Auditor
> TapeAudit = ROLE_TAPE_AUDIT,
> /// Tape Administrator
> --
> 2.39.5
>
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>
>
>
More information about the pbs-devel
mailing list