[pbs-devel] [PATCH v2 proxmox-backup 13/31] api types: define remote permissions and roles for push sync

Christian Ebner c.ebner at proxmox.com
Thu Sep 5 13:17:21 CEST 2024 

On 8/7/24 13:21, Fabian Grünbichler wrote:
> after thinking about this some more - this is missing some more bits I think.
> 
> for a pull based sync, we have two users:
> - local owner/user
> - remote user via remote.cfg
> 
> we only ever query/read from the remote side, so having two privs is fine:
> - one to see the remote in the first place
> - one to read backups that the configured remote user sees
> 
> for the local side, we have the full set of privs/operations:
> - create/delete namespaces (DATASTORE_MODIFY)
> - delete snapshots or groups (DATASTORE_MODIFY or DATASTORE_PRUNE+owner)
> - create snapshots or groups (DATASTORE_BACKUP+owner)
> 
> but for push based backups, we basically need to map the "local" privs from a
> pull to the remote privs, since we possibly need to do the same set of
> operations (while in the case of push, we only query/read the local side, so
> the priv matrix there is simpler).
> 
> the owner semantics for push based backups are also rather weird/confusing:
> 
> - if owner has PRIV_DATASTORE_READ on the source, all groups will be synced
> - if owner only has PRIV_DATASTORE_BACKUP only owned groups will be synced
> - the backups on the target will always be owned by the remote.cfg user(!)

Yes, I agree that this might be confusing. I think however that the main 
confusion stems from the fact, that the local user is currently referred 
to as `owner`, while as a matter of fact this is the `source reader`? I 
do think it makes sense that only backups which that user can see are 
synced, after all that is the reason to even create a user with that 
permission set?

The owner will be the user as which the backup is written onto the 
target (which is given by the remote). This cannot currently be 
configured as for the pull job.

> 
> syncing back is thus only possible if the (source) owner and the remote.cfg
> user are identical?

When syncing back by a pull, the owner can be set by the sync job again, 
so that should be possible. Although, the initial ownership might get 
lost. But that is already the case with the pull sync job? Or do you 
mean syncing back by pushing the snapshots over from the remote again?

> 
> should we rename that parameter? owner makes sense for pulling (it is the user
> that owns the synced groups after the sync), but not so much for pushing, where
> something like "Local User" might be less misleading?
> 

Yes, agreed.

More information about the pbs-devel mailing list