From 8247db5b399c5e312fb8ea4891ff5512a4c375c6 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Wed, 29 Apr 2020 07:03:44 +0200 Subject: [PATCH] src/config/acl.rs: introduice privileges and roles for remotes --- src/api2/config/remote.rs | 12 ++++++------ src/api2/pull.rs | 6 +++--- src/api2/types.rs | 3 +++ src/config/acl.rs | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 47 insertions(+), 9 deletions(-) diff --git a/src/api2/config/remote.rs b/src/api2/config/remote.rs index 5dcd6739..721a8e78 100644 --- a/src/api2/config/remote.rs +++ b/src/api2/config/remote.rs @@ -5,7 +5,7 @@ use proxmox::api::{api, ApiMethod, Router, RpcEnvironment, Permission}; use crate::api2::types::*; use crate::config::remote; -use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY}; +use crate::config::acl::{PRIV_REMOTE_AUDIT, PRIV_REMOTE_MODIFY}; #[api( input: { @@ -39,7 +39,7 @@ use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY}; }, }, access: { - permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false), + permission: &Permission::Privilege(&["remote"], PRIV_REMOTE_AUDIT, false), }, )] /// List all remotes @@ -83,7 +83,7 @@ pub fn list_remotes( }, }, access: { - permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false), + permission: &Permission::Privilege(&["remote"], PRIV_REMOTE_MODIFY, false), }, )] /// Create new remote. @@ -119,7 +119,7 @@ pub fn create_remote(name: String, param: Value) -> Result<(), Error> { type: remote::Remote, }, access: { - permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false), + permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_AUDIT, false), } )] /// Read remote configuration data. @@ -165,7 +165,7 @@ pub fn read_remote(name: String) -> Result { }, }, access: { - permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false), + permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_MODIFY, false), }, )] /// Update remote configuration. @@ -222,7 +222,7 @@ pub fn update_remote( }, }, access: { - permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false), + permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_MODIFY, false), }, )] /// Remove a remote from the configuration file. diff --git a/src/api2/pull.rs b/src/api2/pull.rs index de394419..d19e0d78 100644 --- a/src/api2/pull.rs +++ b/src/api2/pull.rs @@ -16,7 +16,7 @@ use crate::backup::*; use crate::client::*; use crate::config::remote; use crate::api2::types::*; -use crate::config::acl::{PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_READ}; +use crate::config::acl::{PRIV_DATASTORE_BACKUP, PRIV_REMOTE_READ}; use crate::config::cached_user_info::CachedUserInfo; // fixme: implement filters @@ -405,7 +405,7 @@ pub async fn pull_store( access: { // Note: used parameters are no uri parameters, so we need to test inside function body description: r###"The user needs Datastore.Backup privilege on '/datastore/{store}', -and needs to own the backup group. Datastore.Read is required on '/remote/{remote}/{remote-store}'. +and needs to own the backup group. Remote.Read is required on '/remote/{remote}/{remote-store}'. "###, permission: &Permission::Anybody, }, @@ -424,7 +424,7 @@ async fn pull ( let username = rpcenv.get_user().unwrap(); user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_BACKUP, false)?; - user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_DATASTORE_READ, false)?; + user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_REMOTE_READ, false)?; let delete = delete.unwrap_or(true); diff --git a/src/api2/types.rs b/src/api2/types.rs index 5b852a88..5a0b355d 100644 --- a/src/api2/types.rs +++ b/src/api2/types.rs @@ -261,6 +261,9 @@ pub const ACL_ROLE_SCHEMA: Schema = StringSchema::new( "Datastore.Audit", "Datastore.Backup", "Datastore.PowerUser", + "Remote.Admin", + "Remote.Audit", + "Remote.SyncOperator", "NoAccess", ])) .schema(); diff --git a/src/config/acl.rs b/src/config/acl.rs index 8c40aa88..b10be9c4 100644 --- a/src/config/acl.rs +++ b/src/config/acl.rs @@ -26,6 +26,11 @@ pub const PRIV_DATASTORE_PRUNE: u64 = 1 << 7; pub const PRIV_PERMISSIONS_MODIFY: u64 = 1 << 8; +pub const PRIV_REMOTE_AUDIT: u64 = 1 << 9; +pub const PRIV_REMOTE_MODIFY: u64 = 1 << 10; +pub const PRIV_REMOTE_READ: u64 = 1 << 11; +pub const PRIV_REMOTE_PRUNE: u64 = 1 << 12; + pub const ROLE_ADMIN: u64 = std::u64::MAX; pub const ROLE_NO_ACCESS: u64 = 0; @@ -59,6 +64,23 @@ PRIV_DATASTORE_BACKUP; pub const ROLE_DATASTORE_AUDIT: u64 = PRIV_DATASTORE_AUDIT; +/// Remote.Audit can audit the remote +pub const ROLE_REMOTE_AUDIT: u64 = +PRIV_REMOTE_AUDIT; + +/// Remote.Admin can do anything on the remote. +pub const ROLE_REMOTE_ADMIN: u64 = +PRIV_REMOTE_AUDIT | +PRIV_REMOTE_MODIFY | +PRIV_REMOTE_READ | +PRIV_REMOTE_PRUNE; + +/// Remote.SyncOperator can do read and prune on the remote. +pub const ROLE_REMOTE_SYNC_OPERATOR: u64 = +PRIV_REMOTE_AUDIT | +PRIV_REMOTE_READ | +PRIV_REMOTE_PRUNE; + pub const ROLE_NAME_NO_ACCESS: &str ="NoAccess"; lazy_static! { @@ -99,6 +121,19 @@ lazy_static! { "Datastore Auditor", )); + map.insert("Remote.Audit", ( + ROLE_REMOTE_AUDIT, + "Remote Auditor", + )); + map.insert("Remote.Admin", ( + ROLE_REMOTE_ADMIN, + "Remote Administrator", + )); + map.insert("Remote.SyncOperator", ( + ROLE_REMOTE_SYNC_OPERATOR, + "Syncronisation Opertator", + )); + map }; }