tyler/proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

tape: impl access permissions for tape jobs

Browse Source
This commit is contained in:
Dietmar Maurer 2021-03-03 12:44:39 +01:00
parent 16bd08b297
commit 396fd747a6
2 changed files with 50 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
src/api2/config/tape_backup_job.rs
View File

@ -2,16 +2,22 @@ use anyhow::{bail, format_err, Error};
use serde_json::Value; use serde_json::Value;
use ::serde::{Deserialize, Serialize}; use ::serde::{Deserialize, Serialize};
use proxmox::api::{api, Router, RpcEnvironment, schema::Updatable}; use proxmox::api::{api, Router, RpcEnvironment, Permission, schema::Updatable};
use proxmox::tools::fs::open_file_locked; use proxmox::tools::fs::open_file_locked;
use crate::{ use crate::{
api2::types::{ api2::types::{
Authid,
JOB_ID_SCHEMA, JOB_ID_SCHEMA,
PROXMOX_CONFIG_DIGEST_SCHEMA, PROXMOX_CONFIG_DIGEST_SCHEMA,
}, },
config::{ config::{
self, self,
cached_user_info::CachedUserInfo,
acl::{
PRIV_TAPE_AUDIT,
PRIV_TAPE_MODIFY,
},
tape_job::{ tape_job::{
TAPE_JOB_CFG_LOCKFILE, TAPE_JOB_CFG_LOCKFILE,
TapeBackupJobConfig, TapeBackupJobConfig,
@ -29,16 +35,30 @@ use crate::{
type: Array, type: Array,
items: { type: TapeBackupJobConfig }, items: { type: TapeBackupJobConfig },
}, },
access: {
description: "List configured tape jobs filtered by Tape.Audit privileges",
permission: &Permission::Anybody,
},
)] )]
/// List all tape backup jobs /// List all tape backup jobs
pub fn list_tape_backup_jobs( pub fn list_tape_backup_jobs(
_param: Value, _param: Value,
mut rpcenv: &mut dyn RpcEnvironment, mut rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<TapeBackupJobConfig>, Error> { ) -> Result<Vec<TapeBackupJobConfig>, Error> {
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
let user_info = CachedUserInfo::new()?;
let (config, digest) = config::tape_job::config()?; let (config, digest) = config::tape_job::config()?;
let list = config.convert_to_typed_array("backup")?; let list = config.convert_to_typed_array::<TapeBackupJobConfig>("backup")?;
let list = list
.into_iter()
.filter(|job| {
let privs = user_info.lookup_privs(&auth_id, &["tape", "job", &job.id]);
privs & PRIV_TAPE_AUDIT != 0
})
.collect();
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into(); rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
@ -55,6 +75,9 @@ pub fn list_tape_backup_jobs(
}, },
}, },
}, },
access: {
permission: &Permission::Privilege(&["tape", "job"], PRIV_TAPE_MODIFY, false),
},
)] )]
/// Create a new tape backup job. /// Create a new tape backup job.
pub fn create_tape_backup_job( pub fn create_tape_backup_job(
@ -88,6 +111,9 @@ pub fn create_tape_backup_job(
}, },
}, },
returns: { type: TapeBackupJobConfig }, returns: { type: TapeBackupJobConfig },
access: {
permission: &Permission::Privilege(&["tape", "job", "{id}"], PRIV_TAPE_AUDIT, false),
},
)] )]
/// Read a tape backup job configuration. /// Read a tape backup job configuration.
pub fn read_tape_backup_job( pub fn read_tape_backup_job(
@ -143,6 +169,9 @@ pub enum DeletableProperty {
}, },
}, },
}, },
access: {
permission: &Permission::Privilege(&["tape", "job", "{id}"], PRIV_TAPE_MODIFY, false),
},
)] )]
/// Update the tape backup job /// Update the tape backup job
pub fn update_tape_backup_job( pub fn update_tape_backup_job(
@ -185,6 +214,9 @@ pub fn update_tape_backup_job(
}, },
}, },
}, },
access: {
permission: &Permission::Privilege(&["tape", "job", "{id}"], PRIV_TAPE_MODIFY, false),
},
)] )]
/// Remove a tape backup job configuration /// Remove a tape backup job configuration
pub fn delete_tape_backup_job( pub fn delete_tape_backup_job(

16
src/api2/tape/backup.rs
View File

@ -10,6 +10,7 @@ use proxmox::{
RpcEnvironment, RpcEnvironment,
RpcEnvironmentType, RpcEnvironmentType,
Router, Router,
Permission,
}, },
}; };
@ -17,6 +18,10 @@ use crate::{
task_log, task_log,
config::{ config::{
self, self,
cached_user_info::CachedUserInfo,
acl::{
PRIV_TAPE_AUDIT,
},
tape_job::{ tape_job::{
TapeBackupJobConfig, TapeBackupJobConfig,
TapeBackupJobSetup, TapeBackupJobSetup,
@ -72,12 +77,18 @@ pub const ROUTER: Router = Router::new()
type: Array, type: Array,
items: { type: TapeBackupJobStatus }, items: { type: TapeBackupJobStatus },
}, },
access: {
description: "List configured tape jobs filtered by Tape.Audit privileges",
permission: &Permission::Anybody,
},
)] )]
/// List all tape backup jobs /// List all tape backup jobs
pub fn list_tape_backup_jobs( pub fn list_tape_backup_jobs(
_param: Value, _param: Value,
mut rpcenv: &mut dyn RpcEnvironment, mut rpcenv: &mut dyn RpcEnvironment,
) -> Result<Vec<TapeBackupJobStatus>, Error> { ) -> Result<Vec<TapeBackupJobStatus>, Error> {
let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
let user_info = CachedUserInfo::new()?;
let (config, digest) = config::tape_job::config()?; let (config, digest) = config::tape_job::config()?;
@ -92,6 +103,11 @@ pub fn list_tape_backup_jobs(
let mut list = Vec::new(); let mut list = Vec::new();
for job in job_list_iter { for job in job_list_iter {
let privs = user_info.lookup_privs(&auth_id, &["tape", "job", &job.id]);
if (privs & PRIV_TAPE_AUDIT) == 0 {
continue;
}
let last_state = JobState::load("tape-backup-job", &job.id) let last_state = JobState::load("tape-backup-job", &job.id)
.map_err(|err| format_err!("could not open statefile for {}: {}", &job.id, err))?; .map_err(|err| format_err!("could not open statefile for {}: {}", &job.id, err))?;