[pdm-devel] [PATCH datacenter-manager] server: remotes: add acls to PBS API token on token creation
Christian Ebner
c.ebner at proxmox.com
Fri Sep 26 08:33:12 CEST 2025
PBS requires the token to have a role for a given ACL path to allow
access to the corresponding sub-resource. In order to provide the
token created by the remote add wizard the necessary permissions,
adapt the client code so it also performs the additional API calls.
Adapt the internal API such that there is additional type checking
instead of using plain strings and extend it such that multiple acls
can be set if required, to be future prove.
Signed-off-by: Christian Ebner <c.ebner at proxmox.com>
---
server/src/api/remotes.rs | 6 ++++--
server/src/pbs_client.rs | 27 +++++++++++++++++++++++----
2 files changed, 27 insertions(+), 6 deletions(-)
diff --git a/server/src/api/remotes.rs b/server/src/api/remotes.rs
index 033aa7c..9624542 100644
--- a/server/src/api/remotes.rs
+++ b/server/src/api/remotes.rs
@@ -5,6 +5,7 @@ use std::error::Error as _;
use anyhow::{bail, format_err, Error};
use serde::{Deserialize, Serialize};
+use pbs_api_types::Role;
use proxmox_access_control::CachedUserInfo;
use proxmox_router::{
http_bail, http_err, list_subdirs_api_method, Permission, Router, RpcEnvironment, SubdirMap,
@@ -164,13 +165,14 @@ pub async fn add_remote(mut entry: Remote, create_token: Option<String>) -> Resu
let token = client
.create_token(
- &entry.authid.to_string(),
- &create_token,
+ entry.authid.user().to_owned(),
+ pbs_api_types::Tokenname::try_from(create_token)?,
pbs_client::CreateToken {
comment,
enable: Some(true),
expire: None,
},
+ &[("/datastore", Role::DatastoreAudit)],
)
.await
.map_err(short_create_err)?;
diff --git a/server/src/pbs_client.rs b/server/src/pbs_client.rs
index def9a4a..24e0c05 100644
--- a/server/src/pbs_client.rs
+++ b/server/src/pbs_client.rs
@@ -8,6 +8,7 @@ use anyhow::bail; // don't import Error as default error in here
use http_body_util::BodyExt;
use serde::Deserialize;
+use pbs_api_types::Role;
use proxmox_client::{ApiPathBuilder, Error, HttpApiClient};
use proxmox_router::stream::JsonRecords;
use proxmox_schema::api;
@@ -148,12 +149,30 @@ impl PbsClient {
/// create a pbs token
pub async fn create_token(
&self,
- userid: &str,
- tokenid: &str,
+ userid: pbs_api_types::Userid,
+ tokenid: pbs_api_types::Tokenname,
params: CreateToken,
+ acls: &[(&str, Role)],
) -> Result<CreateTokenResponse, Error> {
- let path = format!("/api2/extjs/access/users/{userid}/token/{tokenid}");
- Ok(self.0.post(&path, ¶ms).await?.expect_json()?.data)
+ let path = format!(
+ "/api2/extjs/access/users/{}/token/{}",
+ userid.as_str(),
+ tokenid.as_str(),
+ );
+ let response = self.0.post(&path, ¶ms).await?.expect_json()?.data;
+
+ let auth_id = pbs_api_types::Authid::from((userid, Some(tokenid)));
+ for (acl_path, role) in acls {
+ let params = serde_json::json!({
+ "path": acl_path,
+ "auth-id": auth_id,
+ "role": role,
+ "propagate": true,
+ });
+ self.0.put("/api2/extjs/access/acl", ¶ms).await?;
+ }
+
+ Ok(response)
}
/// Return the status the Proxmox Backup Server instance
--
2.47.3
More information about the pdm-devel
mailing list