tyler
/
proxmox-backup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

src/config/acl.rs: introduice privileges and roles for remotes

This commit is contained in:
Dietmar Maurer 2020-04-29 07:03:44 +02:00
parent 409f44247b
commit 8247db5b39
4 changed files with 47 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/api2/config/remote.rs
View File

@ -5,7 +5,7 @@ use proxmox::api::{api, ApiMethod, Router, RpcEnvironment, Permission};
use crate::api2::types::*; use crate::api2::types::*;
use crate::config::remote; use crate::config::remote;
use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY}; use crate::config::acl::{PRIV_REMOTE_AUDIT, PRIV_REMOTE_MODIFY};
#[api( #[api(
input: { input: {
@ -39,7 +39,7 @@ use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
}, },
}, },
access: { access: {
permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false), permission: &Permission::Privilege(&["remote"], PRIV_REMOTE_AUDIT, false),
}, },
)] )]
/// List all remotes /// List all remotes
@ -83,7 +83,7 @@ pub fn list_remotes(
}, },
}, },
access: { access: {
permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false), permission: &Permission::Privilege(&["remote"], PRIV_REMOTE_MODIFY, false),
}, },
)] )]
/// Create new remote. /// Create new remote.
@ -119,7 +119,7 @@ pub fn create_remote(name: String, param: Value) -> Result<(), Error> {
type: remote::Remote, type: remote::Remote,
}, },
access: { access: {
permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false), permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_AUDIT, false),
} }
)] )]
/// Read remote configuration data. /// Read remote configuration data.
@ -165,7 +165,7 @@ pub fn read_remote(name: String) -> Result<Value, Error> {
}, },
}, },
access: { access: {
permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false), permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_MODIFY, false),
}, },
)] )]
/// Update remote configuration. /// Update remote configuration.
@ -222,7 +222,7 @@ pub fn update_remote(
}, },
}, },
access: { access: {
permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false), permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_MODIFY, false),
}, },
)] )]
/// Remove a remote from the configuration file. /// Remove a remote from the configuration file.

6
src/api2/pull.rs
View File

@ -16,7 +16,7 @@ use crate::backup::*;
use crate::client::*; use crate::client::*;
use crate::config::remote; use crate::config::remote;
use crate::api2::types::*; use crate::api2::types::*;
use crate::config::acl::{PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_READ}; use crate::config::acl::{PRIV_DATASTORE_BACKUP, PRIV_REMOTE_READ};
use crate::config::cached_user_info::CachedUserInfo; use crate::config::cached_user_info::CachedUserInfo;
// fixme: implement filters // fixme: implement filters
@ -405,7 +405,7 @@ pub async fn pull_store(
access: { access: {
// Note: used parameters are no uri parameters, so we need to test inside function body // Note: used parameters are no uri parameters, so we need to test inside function body
description: r###"The user needs Datastore.Backup privilege on '/datastore/{store}', description: r###"The user needs Datastore.Backup privilege on '/datastore/{store}',
and needs to own the backup group. Datastore.Read is required on '/remote/{remote}/{remote-store}'. and needs to own the backup group. Remote.Read is required on '/remote/{remote}/{remote-store}'.
"###, "###,
permission: &Permission::Anybody, permission: &Permission::Anybody,
}, },
@ -424,7 +424,7 @@ async fn pull (
let username = rpcenv.get_user().unwrap(); let username = rpcenv.get_user().unwrap();
user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_BACKUP, false)?; user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_BACKUP, false)?;
user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_DATASTORE_READ, false)?; user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_REMOTE_READ, false)?;
let delete = delete.unwrap_or(true); let delete = delete.unwrap_or(true);

3
src/api2/types.rs
View File

@ -261,6 +261,9 @@ pub const ACL_ROLE_SCHEMA: Schema = StringSchema::new(
"Datastore.Audit", "Datastore.Audit",
"Datastore.Backup", "Datastore.Backup",
"Datastore.PowerUser", "Datastore.PowerUser",
"Remote.Admin",
"Remote.Audit",
"Remote.SyncOperator",
"NoAccess", "NoAccess",
])) ]))
.schema(); .schema();

35
src/config/acl.rs
View File

@ -26,6 +26,11 @@ pub const PRIV_DATASTORE_PRUNE: u64 = 1 << 7;
pub const PRIV_PERMISSIONS_MODIFY: u64 = 1 << 8; pub const PRIV_PERMISSIONS_MODIFY: u64 = 1 << 8;
pub const PRIV_REMOTE_AUDIT: u64 = 1 << 9;
pub const PRIV_REMOTE_MODIFY: u64 = 1 << 10;
pub const PRIV_REMOTE_READ: u64 = 1 << 11;
pub const PRIV_REMOTE_PRUNE: u64 = 1 << 12;
pub const ROLE_ADMIN: u64 = std::u64::MAX; pub const ROLE_ADMIN: u64 = std::u64::MAX;
pub const ROLE_NO_ACCESS: u64 = 0; pub const ROLE_NO_ACCESS: u64 = 0;
@ -59,6 +64,23 @@ PRIV_DATASTORE_BACKUP;
pub const ROLE_DATASTORE_AUDIT: u64 = pub const ROLE_DATASTORE_AUDIT: u64 =
PRIV_DATASTORE_AUDIT; PRIV_DATASTORE_AUDIT;
/// Remote.Audit can audit the remote
pub const ROLE_REMOTE_AUDIT: u64 =
PRIV_REMOTE_AUDIT;
/// Remote.Admin can do anything on the remote.
pub const ROLE_REMOTE_ADMIN: u64 =
PRIV_REMOTE_AUDIT |
PRIV_REMOTE_MODIFY |
PRIV_REMOTE_READ |
PRIV_REMOTE_PRUNE;
/// Remote.SyncOperator can do read and prune on the remote.
pub const ROLE_REMOTE_SYNC_OPERATOR: u64 =
PRIV_REMOTE_AUDIT |
PRIV_REMOTE_READ |
PRIV_REMOTE_PRUNE;
pub const ROLE_NAME_NO_ACCESS: &str ="NoAccess"; pub const ROLE_NAME_NO_ACCESS: &str ="NoAccess";
lazy_static! { lazy_static! {
@ -99,6 +121,19 @@ lazy_static! {
"Datastore Auditor", "Datastore Auditor",
)); ));
map.insert("Remote.Audit", (
ROLE_REMOTE_AUDIT,
"Remote Auditor",
));
map.insert("Remote.Admin", (
ROLE_REMOTE_ADMIN,
"Remote Administrator",
));
map.insert("Remote.SyncOperator", (
ROLE_REMOTE_SYNC_OPERATOR,
"Syncronisation Opertator",
));
map map
}; };
} }