[pbs-devel] [PATCH v3 proxmox-backup 13/33] config: acl: allow namespace components for remote datastores

Christian Ebner c.ebner at proxmox.com
Thu Sep 12 16:33:02 CEST 2024


Extend the component limit for ACL paths of `remote` to include
possible namespace components.

This allows to limit the permissions for sync jobs in push direction
to a namespace subset on the remote datastore.

Signed-off-by: Christian Ebner <c.ebner at proxmox.com>
---
changes since version 2:
- not present in previous version

 pbs-config/src/acl.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pbs-config/src/acl.rs b/pbs-config/src/acl.rs
index 6b6500f34..5177e22f0 100644
--- a/pbs-config/src/acl.rs
+++ b/pbs-config/src/acl.rs
@@ -89,10 +89,13 @@ pub fn check_acl_path(path: &str) -> Result<(), Error> {
             }
         }
         "remote" => {
-            // /remote/{remote}/{store}
+            // /remote/{remote}/{store}/{namespace}
             if components_len <= 3 {
                 return Ok(());
             }
+            if components_len > 3 && components_len <= 3 + pbs_api_types::MAX_NAMESPACE_DEPTH {
+                return Ok(());
+            }
         }
         "system" => {
             if components_len == 1 {
-- 
2.39.2





More information about the pbs-devel mailing list