src/config/acl.rs: introduice privileges and roles for remotes

2020-04-29 07:03:44 +02:00
parent 409f44247b
commit 8247db5b39
4 changed files with 47 additions and 9 deletions
--- a/src/api2/config/remote.rs
+++ b/src/api2/config/remote.rs
@ -5,7 +5,7 @@ use proxmox::api::{api, ApiMethod, Router, RpcEnvironment, Permission};

 use crate::api2::types::*;
 use crate::config::remote;
-use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
+use crate::config::acl::{PRIV_REMOTE_AUDIT, PRIV_REMOTE_MODIFY};

 #[api(
    input: {
@ -39,7 +39,7 @@ use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
        },
    },
    access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+        permission: &Permission::Privilege(&["remote"], PRIV_REMOTE_AUDIT, false),
    },
 )]
 /// List all remotes
@ -83,7 +83,7 @@ pub fn list_remotes(
        },
    },
    access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["remote"], PRIV_REMOTE_MODIFY, false),
    },
 )]
 /// Create new remote.
@ -119,7 +119,7 @@ pub fn create_remote(name: String, param: Value) -> Result<(), Error> {
        type: remote::Remote,
    },
    access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+        permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_AUDIT, false),
    }
 )]
 /// Read remote configuration data.
@ -165,7 +165,7 @@ pub fn read_remote(name: String) -> Result<Value, Error> {
        },
    },
    access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_MODIFY, false),
    },
 )]
 /// Update remote configuration.
@ -222,7 +222,7 @@ pub fn update_remote(
        },
    },
    access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_MODIFY, false),
    },
 )]
 /// Remove a remote from the configuration file.
--- a/src/api2/pull.rs
+++ b/src/api2/pull.rs
@ -16,7 +16,7 @@ use crate::backup::*;
 use crate::client::*;
 use crate::config::remote;
 use crate::api2::types::*;
-use crate::config::acl::{PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_READ};
+use crate::config::acl::{PRIV_DATASTORE_BACKUP, PRIV_REMOTE_READ};
 use crate::config::cached_user_info::CachedUserInfo;

 // fixme: implement filters
@ -405,7 +405,7 @@ pub async fn pull_store(
    access: {
        // Note: used parameters are no uri parameters, so we need to test inside function body
        description: r###"The user needs Datastore.Backup privilege on '/datastore/{store}',
-and needs to own the backup group. Datastore.Read is required on '/remote/{remote}/{remote-store}'.
+and needs to own the backup group. Remote.Read is required on '/remote/{remote}/{remote-store}'.
 "###,
        permission: &Permission::Anybody,
    },
@ -424,7 +424,7 @@ async fn pull (

    let username = rpcenv.get_user().unwrap();
    user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_BACKUP, false)?;
-    user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_DATASTORE_READ, false)?;
+    user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_REMOTE_READ, false)?;

    let delete = delete.unwrap_or(true);

--- a/src/api2/types.rs
+++ b/src/api2/types.rs
@ -261,6 +261,9 @@ pub const ACL_ROLE_SCHEMA: Schema = StringSchema::new(
        "Datastore.Audit",
        "Datastore.Backup",
        "Datastore.PowerUser",
+        "Remote.Admin",
+        "Remote.Audit",
+        "Remote.SyncOperator",
        "NoAccess",
    ]))
    .schema();