tape: impl api permissions for drive/changer/pool configuration

2021-03-03 12:10:00 +01:00
parent b90cb34fd6
commit 8cd63df0dc
5 changed files with 150 additions and 9 deletions
--- a/src/api2/tape/drive.rs
+++ b/src/api2/tape/drive.rs
@ -16,6 +16,7 @@ use proxmox::{
        section_config::SectionConfigData,
        RpcEnvironment,
        RpcEnvironmentType,
+        Permission,
        Router,
        SubdirMap,
    },
@ -23,7 +24,13 @@ use proxmox::{

 use crate::{
    task_log,
-    config,
+    config::{
+        self,
+        cached_user_info::CachedUserInfo,
+        acl::{
+            PRIV_TAPE_AUDIT,
+        },
+    },
    api2::{
        types::{
            UPID_SCHEMA,
@ -1203,12 +1210,19 @@ pub fn catalog_media(
            type: DriveListEntry,
        },
    },
+    access: {
+        description: "List configured tape drives filtered by Tape.Audit privileges",
+        permission: &Permission::Anybody,
+    },
 )]
 /// List drives
 pub fn list_drives(
    changer: Option<String>,
    _param: Value,
+    rpcenv: &mut dyn RpcEnvironment,
 ) -> Result<Vec<DriveListEntry>, Error> {
+    let auth_id: Authid = rpcenv.get_auth_id().unwrap().parse()?;
+    let user_info = CachedUserInfo::new()?;

    let (config, _) = config::drive::config()?;

@ -1223,6 +1237,11 @@ pub fn list_drives(
            continue;
        }

+        let privs = user_info.lookup_privs(&auth_id, &["tape", "drive", &drive.name]);
+        if (privs & PRIV_TAPE_AUDIT) == 0 {
+            continue;
+        }
+
        let info = lookup_device_identification(&linux_drives, &drive.path);
        let state = get_tape_device_state(&config, &drive.name)?;
        let entry = DriveListEntry { config: drive, info, state };