fix #3014: allow DataStoreAdmins to list DS config
filtered by those they are privileged enough to read individually. this allows such users to configure prune/GC schedules via the GUI (the API already allowed it previously). permission-wise, a user with this privilege can already: - list all stores they have access to (returns just name/comment) - read the config of each store they have access to individually (returns full config of that datastore + digest of whole config) but combines them to - read configs of all datastores they have access to (returns full config of those datastores + digest of whole config) user that have AUDIT on just /datastore without propagate can now no longer read all configurations (but this could be added it back, it just seems to make little sense to me). Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
parent
9cebc837d5
commit
b93bbab454
@ -9,6 +9,7 @@ use proxmox::tools::fs::open_file_locked;
|
|||||||
|
|
||||||
use crate::api2::types::*;
|
use crate::api2::types::*;
|
||||||
use crate::backup::*;
|
use crate::backup::*;
|
||||||
|
use crate::config::cached_user_info::CachedUserInfo;
|
||||||
use crate::config::datastore::{self, DataStoreConfig, DIR_NAME_SCHEMA};
|
use crate::config::datastore::{self, DataStoreConfig, DIR_NAME_SCHEMA};
|
||||||
use crate::config::acl::{PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_MODIFY};
|
use crate::config::acl::{PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_MODIFY};
|
||||||
|
|
||||||
@ -22,7 +23,7 @@ use crate::config::acl::{PRIV_DATASTORE_AUDIT, PRIV_DATASTORE_MODIFY};
|
|||||||
items: { type: datastore::DataStoreConfig },
|
items: { type: datastore::DataStoreConfig },
|
||||||
},
|
},
|
||||||
access: {
|
access: {
|
||||||
permission: &Permission::Privilege(&["datastore"], PRIV_DATASTORE_AUDIT, false),
|
permission: &Permission::Anybody,
|
||||||
},
|
},
|
||||||
)]
|
)]
|
||||||
/// List all datastores
|
/// List all datastores
|
||||||
@ -33,11 +34,18 @@ pub fn list_datastores(
|
|||||||
|
|
||||||
let (config, digest) = datastore::config()?;
|
let (config, digest) = datastore::config()?;
|
||||||
|
|
||||||
let list = config.convert_to_typed_array("datastore")?;
|
let userid: Userid = rpcenv.get_user().unwrap().parse()?;
|
||||||
|
let user_info = CachedUserInfo::new()?;
|
||||||
|
|
||||||
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
rpcenv["digest"] = proxmox::tools::digest_to_hex(&digest).into();
|
||||||
|
|
||||||
Ok(list)
|
let list:Vec<DataStoreConfig> = config.convert_to_typed_array("datastore")?;
|
||||||
|
let filter_by_privs = |store: &DataStoreConfig| {
|
||||||
|
let user_privs = user_info.lookup_privs(&userid, &["datastore", &store.name]);
|
||||||
|
(user_privs & PRIV_DATASTORE_AUDIT) != 0
|
||||||
|
};
|
||||||
|
|
||||||
|
Ok(list.into_iter().filter(filter_by_privs).collect())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user