sync job: don't require privs on datastore

syncing to a namespace only requires privileges on the namespace (and
potentially its children during execution).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

pbs-api-types/src/jobs.rs

@@ -7,9 +7,9 @@ use serde::{Deserialize, Serialize};
 use proxmox_schema::*;
 
 use crate::{
-    Authid, BackupNamespace, BackupType, RateLimitConfig, Userid, BACKUP_GROUP_SCHEMA,
-    BACKUP_NAMESPACE_SCHEMA, DATASTORE_SCHEMA, DRIVE_NAME_SCHEMA, MEDIA_POOL_NAME_SCHEMA,
-    NS_MAX_DEPTH_REDUCED_SCHEMA, PROXMOX_SAFE_ID_FORMAT, REMOTE_ID_SCHEMA,
+    Authid, BackupNamespace, BackupType, DatastoreWithNamespace, RateLimitConfig, Userid,
+    BACKUP_GROUP_SCHEMA, BACKUP_NAMESPACE_SCHEMA, DATASTORE_SCHEMA, DRIVE_NAME_SCHEMA,
+    MEDIA_POOL_NAME_SCHEMA, NS_MAX_DEPTH_REDUCED_SCHEMA, PROXMOX_SAFE_ID_FORMAT, REMOTE_ID_SCHEMA,
     SINGLE_LINE_COMMENT_SCHEMA,
 };
 
@@ -498,6 +498,15 @@ pub struct SyncJobConfig {
     pub limit: RateLimitConfig,
 }
 
+impl SyncJobConfig {
+    pub fn store_with_ns(&self) -> DatastoreWithNamespace {
+        DatastoreWithNamespace {
+            store: self.store.clone(),
+            ns: self.ns.clone().unwrap_or_default(),
+        }
+    }
+}
+
 #[api(
     properties: {
         config: {

src/api2/config/sync.rs

@@ -20,18 +20,11 @@ pub fn check_sync_job_read_access(
     auth_id: &Authid,
     job: &SyncJobConfig,
 ) -> bool {
-    let datastore_privs = user_info.lookup_privs(auth_id, &["datastore", &job.store]);
-    if datastore_privs & PRIV_DATASTORE_AUDIT == 0 {
+    let ns_anchor_privs = user_info.lookup_privs(auth_id, &job.store_with_ns().acl_path());
+    if ns_anchor_privs & PRIV_DATASTORE_AUDIT == 0 {
         return false;
     }
 
-    if let Some(ref ns) = job.ns {
-        let ns_privs = user_info.lookup_privs(auth_id, &["datastore", &job.store, &ns.to_string()]);
-        if ns_privs & PRIV_DATASTORE_AUDIT == 0 {
-            return false;
-        }
-    }
-
     let remote_privs = user_info.lookup_privs(auth_id, &["remote", &job.remote]);
     remote_privs & PRIV_REMOTE_AUDIT != 0
 }
@@ -45,20 +38,13 @@ pub fn check_sync_job_modify_access(
     auth_id: &Authid,
     job: &SyncJobConfig,
 ) -> bool {
-    let datastore_privs = user_info.lookup_privs(auth_id, &["datastore", &job.store]);
-    if datastore_privs & PRIV_DATASTORE_BACKUP == 0 {
+    let ns_anchor_privs = user_info.lookup_privs(auth_id, &job.store_with_ns().acl_path());
+    if ns_anchor_privs & PRIV_DATASTORE_BACKUP == 0 {
         return false;
     }
 
-    if let Some(ref ns) = job.ns {
-        let ns_privs = user_info.lookup_privs(auth_id, &["datastore", &job.store, &ns.to_string()]);
-        if ns_privs & PRIV_DATASTORE_BACKUP == 0 {
-            return false;
-        }
-    }
-
     if let Some(true) = job.remove_vanished {
-        if datastore_privs & PRIV_DATASTORE_PRUNE == 0 {
+        if ns_anchor_privs & PRIV_DATASTORE_PRUNE == 0 {
             return false;
         }
     }
@@ -73,7 +59,7 @@ pub fn check_sync_job_modify_access(
     };
 
     // same permission as changing ownership after syncing
-    if !correct_owner && datastore_privs & PRIV_DATASTORE_MODIFY == 0 {
+    if !correct_owner && ns_anchor_privs & PRIV_DATASTORE_MODIFY == 0 {
         return false;
     }