[pbs-devel] [PATCH proxmox-backup 0/3] relax s3 endpoint acls to sub-paths
Christian Ebner
c.ebner at proxmox.com
Mon Jul 28 09:59:54 CEST 2025
This patch series relaxes the currently rather strict permissions
required to read/list/edit/delete the s3 endpoint configurations.
Instead of requiring either Sys.Audit or Sys.Modify on the root path,
allow to define permissions on the /system/s3-endpoint and
/system/s3-endpoint/{id} sub-path. By this, the permissions can be
set more flexible.
Note: These permissions are independent from operations on datastores
backed by s3 backend, the client does not need to access the config
in any way via the api, as s3 client instantiation is handled by the
backend itself.
For example, allow `user at pbs` to edit all s3 endpoints:
acl:1:/system/s3-endpoint:user at pbs:Admin
Allow `user at pbs` to list/read `aws-s3` endpoint only:
acl:1:/system/s3-endpoint/aws-s3:user at pbs:Audit
Christian Ebner (3):
pbs-config: acls: add s3-endpoint as valid 'system' subpath
ui: expose s3-endpoint as acl subpath for 'system'
config: s3: relax permissions to acl subpaths of '/system/s3-endpoint'
pbs-config/src/acl.rs | 6 ++++++
src/api2/config/s3.rs | 30 ++++++++++++++++++++++--------
www/form/PermissionPathSelector.js | 1 +
3 files changed, 29 insertions(+), 8 deletions(-)
--
2.47.2
More information about the pbs-devel
mailing list