src/config/acl.rs: introduice privileges and roles for remotes

2020-04-29 07:03:44 +02:00 · 2020-04-29 07:03:44 +02:00 · 8247db5b39
parent 409f44247b
commit 8247db5b39
4 changed files with 47 additions and 9 deletions
--- a/src/api2/config/remote.rs
+++ b/src/api2/config/remote.rs
@ -5,7 +5,7 @@ use proxmox::api::{api, ApiMethod, Router, RpcEnvironment, Permission};

 use crate::api2::types::*;
 use crate::config::remote;
-use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
+use crate::config::acl::{PRIV_REMOTE_AUDIT, PRIV_REMOTE_MODIFY};

 #[api(
    input: {
@ -39,7 +39,7 @@ use crate::config::acl::{PRIV_SYS_AUDIT, PRIV_SYS_MODIFY};
        },
    },
    access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+        permission: &Permission::Privilege(&["remote"], PRIV_REMOTE_AUDIT, false),
    },
 )]
 /// List all remotes
@ -83,7 +83,7 @@ pub fn list_remotes(
        },
    },
    access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["remote"], PRIV_REMOTE_MODIFY, false),
    },
 )]
 /// Create new remote.
@ -119,7 +119,7 @@ pub fn create_remote(name: String, param: Value) -> Result<(), Error> {
        type: remote::Remote,
    },
    access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_AUDIT, false),
+        permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_AUDIT, false),
    }
 )]
 /// Read remote configuration data.
@ -165,7 +165,7 @@ pub fn read_remote(name: String) -> Result<Value, Error> {
        },
    },
    access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_MODIFY, false),
    },
 )]
 /// Update remote configuration.
@ -222,7 +222,7 @@ pub fn update_remote(
        },
    },
    access: {
-        permission: &Permission::Privilege(&[], PRIV_SYS_MODIFY, false),
+        permission: &Permission::Privilege(&["remote", "{name}"], PRIV_REMOTE_MODIFY, false),
    },
 )]
 /// Remove a remote from the configuration file.
--- a/src/api2/pull.rs
+++ b/src/api2/pull.rs
@ -16,7 +16,7 @@ use crate::backup::*;
 use crate::client::*;
 use crate::config::remote;
 use crate::api2::types::*;
-use crate::config::acl::{PRIV_DATASTORE_BACKUP, PRIV_DATASTORE_READ};
+use crate::config::acl::{PRIV_DATASTORE_BACKUP, PRIV_REMOTE_READ};
 use crate::config::cached_user_info::CachedUserInfo;

 // fixme: implement filters
@ -405,7 +405,7 @@ pub async fn pull_store(
    access: {
        // Note: used parameters are no uri parameters, so we need to test inside function body
        description: r###"The user needs Datastore.Backup privilege on '/datastore/{store}',
-and needs to own the backup group. Datastore.Read is required on '/remote/{remote}/{remote-store}'.
+and needs to own the backup group. Remote.Read is required on '/remote/{remote}/{remote-store}'.
 "###,
        permission: &Permission::Anybody,
    },
@ -424,7 +424,7 @@ async fn pull (

    let username = rpcenv.get_user().unwrap();
    user_info.check_privs(&username, &["datastore", &store], PRIV_DATASTORE_BACKUP, false)?;
-    user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_DATASTORE_READ, false)?;
+    user_info.check_privs(&username, &["remote", &remote, &remote_store], PRIV_REMOTE_READ, false)?;

    let delete = delete.unwrap_or(true);

--- a/src/api2/types.rs
+++ b/src/api2/types.rs
@ -261,6 +261,9 @@ pub const ACL_ROLE_SCHEMA: Schema = StringSchema::new(
        "Datastore.Audit",
        "Datastore.Backup",
        "Datastore.PowerUser",
+        "Remote.Admin",
+        "Remote.Audit",
+        "Remote.SyncOperator",
        "NoAccess",
    ]))
    .schema();
--- a/src/config/acl.rs
+++ b/src/config/acl.rs
@ -26,6 +26,11 @@ pub const PRIV_DATASTORE_PRUNE: u64              = 1 << 7;

 pub const PRIV_PERMISSIONS_MODIFY: u64           = 1 << 8;

+pub const PRIV_REMOTE_AUDIT: u64                 = 1 << 9;
+pub const PRIV_REMOTE_MODIFY: u64                = 1 << 10;
+pub const PRIV_REMOTE_READ: u64                  = 1 << 11;
+pub const PRIV_REMOTE_PRUNE: u64                 = 1 << 12;
+
 pub const ROLE_ADMIN: u64 = std::u64::MAX;
 pub const ROLE_NO_ACCESS: u64 = 0;

@ -59,6 +64,23 @@ PRIV_DATASTORE_BACKUP;
 pub const ROLE_DATASTORE_AUDIT: u64 =
 PRIV_DATASTORE_AUDIT;

+/// Remote.Audit can audit the remote
+pub const ROLE_REMOTE_AUDIT: u64 =
+PRIV_REMOTE_AUDIT;
+
+/// Remote.Admin can do anything on the remote.
+pub const ROLE_REMOTE_ADMIN: u64 =
+PRIV_REMOTE_AUDIT |
+PRIV_REMOTE_MODIFY |
+PRIV_REMOTE_READ |
+PRIV_REMOTE_PRUNE;
+
+/// Remote.SyncOperator can do read and prune on the remote.
+pub const ROLE_REMOTE_SYNC_OPERATOR: u64 =
+PRIV_REMOTE_AUDIT |
+PRIV_REMOTE_READ |
+PRIV_REMOTE_PRUNE;
+
 pub const ROLE_NAME_NO_ACCESS: &str ="NoAccess";

 lazy_static! {
@ -99,6 +121,19 @@ lazy_static! {
            "Datastore Auditor",
        ));

+        map.insert("Remote.Audit", (
+            ROLE_REMOTE_AUDIT,
+            "Remote Auditor",
+        ));
+        map.insert("Remote.Admin", (
+            ROLE_REMOTE_ADMIN,
+            "Remote Administrator",
+        ));
+        map.insert("Remote.SyncOperator", (
+            ROLE_REMOTE_SYNC_OPERATOR,
+            "Syncronisation Opertator",
+        ));
+
        map
    };
 }