prune: fix workerid issues

properly encode the namespace as separate field both for manual prunes and the job. fix the access checks as well now that the job doesn't use the jobid as workerid anymore. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2022-05-16 11:00:56 +02:00 · 2022-05-16 11:00:56 +02:00 · 3697161800
parent e13303fca6
commit 3697161800
3 changed files with 20 additions and 18 deletions
--- a/src/api2/admin/datastore.rs
+++ b/src/api2/admin/datastore.rs
@ -950,10 +950,9 @@ pub fn prune(
        ns: ns.clone(),
    };

+    let worker_id = format!("{}:{}:{}", store, ns, group);
    let group = datastore.backup_group(ns, group);

-    let worker_id = format!("{}:{}", store, group);
-
    let mut prune_result = Vec::new();

    let list = group.list_backups()?;
@ -1081,6 +1080,8 @@ pub fn prune_datastore(
    let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;

    let datastore = DataStore::lookup_datastore(&store, Some(Operation::Write))?;
+    let ns = ns.unwrap_or_default();
+    let worker_id = format!("{}:{}", store, ns);

    let to_stdout = rpcenv.env_type() == RpcEnvironmentType::CLI;

@ -1088,18 +1089,11 @@ pub fn prune_datastore(

    let upid_str = WorkerTask::new_thread(
        "prune",
-        Some(store.clone()),
+        Some(worker_id),
        auth_id.to_string(),
        to_stdout,
        move |worker| {
-            crate::server::prune_datastore(
-                worker,
-                auth_id,
-                prune_options,
-                datastore,
-                ns.unwrap_or_default(),
-                dry_run,
-            )
+            crate::server::prune_datastore(worker, auth_id, prune_options, datastore, ns, dry_run)
        },
    )?;

--- a/src/api2/node/tasks.rs
+++ b/src/api2/node/tasks.rs
@ -64,12 +64,17 @@ fn check_job_privs(auth_id: &Authid, user_info: &CachedUserInfo, upid: &UPID) ->
            )
        }
        ("prune", Some(workerid)) => {
-            return user_info.check_privs(
-                auth_id,
-                &["datastore", workerid],
-                PRIV_DATASTORE_MODIFY,
-                true,
-            );
+            let mut acl_path = vec!["datastore"];
+            acl_path.extend(workerid.split(':'));
+            let acl_path = match acl_path.len() {
+                4 => &acl_path[..3],    // contains group as fourth element
+                2 | 3 => &acl_path[..], // store + optional NS
+                _ => {
+                    bail!("invalid worker ID for prune task");
+                }
+            };
+
+            return user_info.check_privs(auth_id, acl_path, PRIV_DATASTORE_MODIFY, true);
        }
        _ => bail!("not a scheduled job task"),
    };
--- a/src/server/prune_job.rs
+++ b/src/server/prune_job.rs
@ -104,14 +104,17 @@ pub fn do_prune_job(

    let worker_type = job.jobtype().to_string();
    let auth_id = auth_id.clone();
+    let worker_id = format!("{store}");
    let upid_str = WorkerTask::new_thread(
        &worker_type,
-        Some(job.jobname().to_string()),
+        Some(worker_id),
        auth_id.to_string(),
        false,
        move |worker| {
            job.start(&worker.upid().to_string())?;

+            task_log!(worker, "prune job '{}'", job.jobname());
+
            if let Some(event_str) = schedule {
                task_log!(worker, "task triggered by schedule '{}'", event_str);
            }